On Jun 4, 2015, at 1:20 PM, Tony Hain <alh-ietf(_at_)tndh(_dot_)net> wrote:
The set of possible requests is inherently public information. Pairing a
request length with the possible set of return lengths seriously reduces the
set, and that is before you factor in who is being watched and what they
might be looking for.
No. RFC numbers are all the same length, except for the very early ones.
Plus, the headers in a request vary enough that it's unlikely that this attack
would be as easy as you say; furthermore, https used for privacy is most
effective at preventing passive attacks, and in this case the expense of doing
the sort of analysis you are describing would be significant.