Save for the scenario of expensive, relatively difficult-to-implement pieces of crypto hardware (and even then, a nation-state could probably defeat it), your traffic is likely vulnerable to determined aggressors.

It's one thing to possess such high-end, esoteric security technology, it's another thing entirely to implement it (and protection for other far more realistic attack vectors) at a CloudFlare-number (or other CDN) of global locations.

I guess the bit that really grates on me is the "just give us your private keys, and trust us!" approach, especially with someone who's then routing not insignificant percentages of the total web traffic through their infrastructure.

Snowden showed us the NSA can and does target "high volume" opportunities for mass surveillance - if you look at the PRISM slides and estimate what percentage of global email their "top ten" targets represents, how much would you bet against them already having a similar program in place backdooring Cloudflare (and Akamai and all other significant players in the SSL CDN market)?

It's probably a false hope, but I feel my own SSL cert on a VM on a more Lavabit scale "local colo" is - while no safer from a targeted NSA/GHCQ/DSD probe looking for _me_ specifically - still significantly less likely to get caught up in a firehose scale "collect all the things" program.

Although, it's probably just as likely a "red flag" that marks me as a "potential terrorist" at least as accurately as having a public PGP key or a secure messaging app… :-/