Could there be a work around ?
If I’m understanding the hack correctly.
The traffic analysis is based on the pattern of services the user accesses online: Doing this thing on this server and that thing on that server. Supplemented with headers and timestamps you get a pretty full picture. Sufficient to identity the user regardless of his sitting behind an encrypted tunnel to a proxy server.
Padding the traffic with gibberish will no doubt help. But even if you add noise there is still signal. You really did post to twitter and read that bbc news article, even if the “padding” adds a bunch of other stuff, like some online version of the “babble box”.
What about a hypothetical service that amalgamates the other service? And not just acting as a proxy for them either. It really acts like them as far as the user is concerned. He types in www.hyptectical.org/bbcnew/article.html and he sees the same article as if he had gone straight to www.bbcnews.co.uk/article.html. for static content the functionality could be much like a caching proxy. But for more dynamic stuff the hypothetical service would have application logic and act like the service the user is requesting when he requests it, and the same for others.
The user submits a request over https containing what the server should do – the logic. It does it and returns the answer/data/whatever. Morphing to fit the requirements the user requests.
NSA would then lose the information of a pattern of visiting sites. That still leaves timestamps of visiting this morphic site but if would not be known that took place there.
Adding the babble box functionality and padding headers to fixed length as mentioned above, this could be quite secure.
This is all speculation of course, but I’m thinking there are avenues worthy of pursuit here.