On 4 Jun 2015, at 9:37, Tony Hain wrote:
My overall concern here is that statements like this undermine the
integrity of the organization. I understand people wanting to improve
overall privacy, but this step does not do that in any meaningful way.
Encrypting the channel does provide some small amount of privacy for the
*request*, which is not public information. Browser capabilities,
cookies, etc. benefit from not being easily-correlated with other
information.
It would be interesting to define an HTTP header of "Padding" into which
the client would put some random noise to pad the request to a
well-known size, in order to make traffic analysis of the request
slightly more difficult. This is the sort of thing that comes up when
we talk about doing more encryption for the IETF's data, which shows the
IESG's suggested approach to be completely rational.
--
Joe Hildebrand