On 4 Jun 2015, at 9:37, Tony Hain wrote:
My overall concern here is that statements like this undermine the integrity of the organization. I understand people wanting to improve overall privacy, but this step does not do that in any meaningful way.
Encrypting the channel does provide some small amount of privacy for the *request*, which is not public information. Browser capabilities, cookies, etc. benefit from not being easily-correlated with other information.
It would be interesting to define an HTTP header of "Padding" into which the client would put some random noise to pad the request to a well-known size, in order to make traffic analysis of the request slightly more difficult. This is the sort of thing that comes up when we talk about doing more encryption for the IETF's data, which shows the IESG's suggested approach to be completely rational.
-- Joe Hildebrand