[Tomdarkness]

HTTPS is not really that effective for privacy. An attacker can still see what site you visited (Well, the IP, but it would be fairly trivial to get the domain as well) and with a little bit of analysis could most likely make a fairly accurate educated guess about exactly which page you requested.

[Hannan]

>> ...and with a little bit of analysis could most likely make a fairly accurate educated guess about exactly which page you requested.

Could you elaborate on this? I would have assumed that with the request URI being encrypted that this would be extremely difficult (load times/payload size maybe?) for all but the simplest of sites.

[Tomdarkness]

Yeah, essentially it comes down to timings/measuring payload lengths. Even for complex websites it may still be possible to attempt to infer what you're viewing. For example, if you are interested, take a look at this research paper which explains how to capture what a user is typing in an auto complete (i.e sends a request every time you type a character) box even over an encrypted connection:

http://research.microsoft.com/pubs/119060/WebAppSideChannel-...

Which could leak information about what you're looking at or looking for. The site is not mentioned specifically in the paper but Amazon uses a autocomplete for it's search which exhibits similar behaviour to what is discussed in the paper. So even on a site like Amazon if you visited it over a secure connection an attacker could most likely find out what you are searching for or looking at on Amazon.

[Hannan]

Thanks for the explanation and the link, much appreciated!