What bothers me is that neither the author nor anyone here metioned that HTTPS does leak metadata in the form of the SNI extension which provides the server with the requested host before the cert exchange.
And even without SNI (e.g. IE on XP), there must be only one SSL site hosted on that particular IP, so the attacker can just connect to it and see what site (s)he gets.