On Jun 4, 2015, at 1:20 PM, Tony Hain <alh-ietf@xxxxxxxx> wrote: > The set of possible requests is inherently public information. Pairing a > request length with the possible set of return lengths seriously reduces the > set, and that is before you factor in who is being watched and what they > might be looking for. No. RFC numbers are all the same length, except for the very early ones. Plus, the headers in a request vary enough that it's unlikely that this attack would be as easy as you say; furthermore, https used for privacy is most effective at preventing passive attacks, and in this case the expense of doing the sort of analysis you are describing would be significant.