>A sufficiently motivated attacker could guess what you're looking at from the size of the transactions and other metadata.
> For example if cuddly_kitten.jpg is 500k and how.to.be.a.scary.terrorist.pdf is 2MB, it's possible for someone with access to your connection to make an educated guess as to what you're looking at.
True. Though if we're staying on one broad domain (for example working from Google's cache) it's not quite so easy to make that educated guess. Yes it probably isn't an image due to size and time between requests, but what else could it be, there's a large variety of options?
That all falls apart as soon as you change between domains though (as you would with a Google search). Even if the FQDN wasn't in the SNI exchange, you've still got to place a DNS query. If you're looking at a lot of different sites during the same browsing session, is there any commonality?
Browsers block it by default now, but one traditional route of leakage was HTTP resources on a HTTPS site, snarf the referrer header from the plaintext requests and you know exactly what your mark was looking at. Something similar can still be done if the HTTPS site is silly enough to carry flash based adverts too.
Basically, yeah, if the person watching is sufficiently motivated, there's not an awful lot you can do to keep that information secret, but there's plenty you can do as a "casual victim" to make it harder for someone to peruse
Biting the hand that feeds IT
