You forgot that:
- the connection is permanent, multiple request pipe lined trough same connection
- The page are by today standard variable sized, headers are vaiable sized
- Compression is often used
- AES and most symmetric cipher are block ciphe rand rounded
People pointing out all of the ways my response COULD be wrong or if x, y, z countermeasures taken then my scheme is foiled....and and if you used TOR or something then even your IP would be safe... My central goal here is to communicate Joe Biden's point when asked about telephone metadata collection not to nit pick and dot my j's and cross my 0's.
Lets examine some of the responses..
Well just add padding so they won't know... well ok...who is doing that?
Multiple requests encapsulated in an HTTP 1.1 pipeline or futuristic 2.0 scheme... so what? You visit a page and the chatter stops while your reading it and starts up again when you click something else and follow a different link.
There could be dynamic content and that could render it difficult to discern x, y and z... This could be true or not depending on the site.
Compression - I don't get how this is relevant... When NSA/KGB goes to your site to collect baselines wouldn't the data be compressed or not the same as any other visitor?
- AES and most symmetric cipher are block ciphe rand rounded
With AES your looking at a block size of between 16 and 32 bytes.
Insecure shopping cart comments.. If you have a shopping cart on your website it stands to reason you already have an SSL certificate so the question posed regarding value of HTTPS over HTTP is not applicable - otherwise I agree what you enter on a form is probably very safe from prying eyes when using HTTPS vs HTTP.
Random padding for BREACH mitigation... I'll believe there is someone on earth who cared enough to implement this vs simply disabling compression for *dynamic* assets when I see it for myself. Compression overhead for dynamic content was always of questionable ROI as it is.