... and request sizes, relative times, and time of day. It would be foolish to not assume that the complete history of your sessions can be inferred from how this data clusters, everything but the actual text of your messages.
Of course the people that find this problem worthwhile to solve then go on to work for or found surveillance companies, rather than publishing proof of concepts to security lists.
We also already know the type of molds the surveillance companies are trying to fit us in, from their own marketing materials (eg https://www.experianintact.com/content/uk/documents/productS...). Do you really think there isn't enough metadata being leaked to bucket people into these categories?
And yeah, IP proxying is a hack. But it's seemingly the best we can do to mitigate the utterly broken HTTPS/JS protocol stack.
There are other straightforward advantages too, like having location targeting miss the mark which breaks up the coherency of their manipulation. I've got zero intrinsic interest in local/news events for elsewhere.
TLS has optional padding. In TLS 1.3 clever design means the padding is "free" (each byte of padding adds exactly one byte of data transmitted) so if you would like the sizes transmitted to be misleading you can choose how much.
We can't solve for you the question of how much to use. If you want a snooper to not know if you retrieved file A of 14583 bytes or file B of 14621 bytes maybe a very small amount of padding will get the job done. If file B was 800 Mb that's a lot more padding you're asking for.
Sure, but that doesn't really address how clients/websites use it right now, or even scale up to solving the fundamental problem (the best you can do is hide bits by padding requests/responses to a discrete set of lengths).
If you're responding to my characterization of HTTPS/JS as "broken", I'm referring to the fact it needs to make a connection to a well-known centralized-authority server every time it wants to retrieve a resource, leaving you at the mercy of your transit (and the server itself, which is obviously another major source of surveillance). Whereas something based on ideas like content-centric networking (eg Freenet) allows a user agent to retrieve those resources from peers or broadcasts, perhaps even over virtual constant-bitrate links.
Of course the people that find this problem worthwhile to solve then go on to work for or found surveillance companies, rather than publishing proof of concepts to security lists.
We also already know the type of molds the surveillance companies are trying to fit us in, from their own marketing materials (eg https://www.experianintact.com/content/uk/documents/productS...). Do you really think there isn't enough metadata being leaked to bucket people into these categories?
And yeah, IP proxying is a hack. But it's seemingly the best we can do to mitigate the utterly broken HTTPS/JS protocol stack.
There are other straightforward advantages too, like having location targeting miss the mark which breaks up the coherency of their manipulation. I've got zero intrinsic interest in local/news events for elsewhere.