Moving away from Cloudflare is a somewhat difficult task. Our team isn't very large, to be honest, and we had other things to work on. But in general there is an agreement amoung us that Cloudflare should be phased out, and we will do it, hopefully soon. Not so sure about Google Analytics, though, because we kind of depend on them as a business. This needs more consideration.
I'm happy to hear you're taking steps in the right direction with cloudflare. To be honest, moving away from them should be a rather easy task... Most registrars offer to use their nameservers for free. That way you can edit your dns records straight from a gui offered by your registrar.
On top of that, you can use letsencrypt's free certificates, they even have a certificate bot that makes installing and renewing certificates rather easy (even for novice users).
As long as you keep using cloudflare's SSL you HAVE to realise your users are sending/receiving encrypted requests to CLOUDFLARE, cloudflare decrypts these requests and
forewards them to your server (either encrypted OR UNENCRYPTED... We have no idear if your host has ssl encryption). Cloudflare will be able to log EVERYTHING (they literally have the UNENCRYPTED data in hand)... They know who your visitor is (his ip), they know the exact content of your letter of guarantee, they know which deposit address you presented him/her with, they know which receiving address was sent to you,... They know (and potentially log) EVERYTHING... They are US based to...
About the continued use of google analytics, i strongly disagree that this should ever be an acceptable move for a mixing service... The key point of your business is offering anonimity for your users. As long as you enable google analytics, google will know exactly who visited your site, when, from where, using which browser, which refferer, and they might even track your visitors to the next site they visit.
Imagine their next visit is an online wallet (novice users can be ignorant and still use online wallets): wallets don't have to be completely anonymous, so it's perfectly acceptible if they also enabled google analytics. At this point, google will know where your visitor came from, which pages he visited on your site and where he went afterwards... This way the chain is complete and you've given a complete overview of your customer to a big, US based company.
Now, let's start from the worst case scenario: i'm a person that uses your mixer, but for some reason the US doesn't like me... A quick request sent to both cloudflare and google will allow them:
- To know which page i visited before visiting your host
- To know at which exact moment i visited your host
- Every piece of data send from or received from your host
- Every timestamp, my browser, my language, my OS,...
- Which site i visited after visiting your mixer
In other words, they'll be able to identify my source address and my destination address aswell as all metadata related to the mixing process (timestamps, pages, hosts, browser info, os info,...)