... random padding without (at least) pipelining and placards *is* worthless to protect against traffic analysis
No, that is not true, and http://www.ieee-security.org/TC/SP2012/papers/4681a332.pdf explains why. Padding makes it difficult but not impossible to distinguish between two HTTPS destinations. 4,300,000 destinations is right out.
since any reliable method to do it would be necessarily robust against deviation in size....
That's like saying any reliable method to solve satisfiability in polynomial time would be necessarily robust against variations in the number of terms per expression. It's not even wrong.
When is the Foundation going to obtain the expertise to protect readers living under regimes which completely forbid HTTPS access to Wikipedia, like China? I suppose I better put that bug about steganography for the surveillance triggers from TOM-Skype in bugzilla. I wish that could have happened before everyone goes to Hong Kong.
On 08/02/2013 08:15 PM, James Salsman wrote:
No, that is not true, and http://www.ieee-security.org/TC/SP2012/papers/4681a332.pdf explains why. Padding makes it difficult but not impossible to distinguish between two HTTPS destinations. 4,300,000 destinations is right out.
... have you actually /read/ that paper? Not only does it discuss how naive countermeasures like you suggest aren't even able to protect against identification at that coarse level, they are presuming much *less* available data to make a determination than what is readily available from visiting /one/ article (let alone what extra information you can extract from one or two consecutive articles because of the correlation provided by the links).
Traffic analysis is a hard attack to protect against, and just throwing random guesses at what makes it harder is not useful (and yes, padding is just a random guess that is /well known/ in the litterature to not help against TA despite its benefits in certain kinds of known plaintext and feedback ciphers).
I recommend you read ''Secure Transaction Protocol Analysis: Models and Applications'', by Chen et al (ISBN 9783540850731). It's already a little out of date and a bit superficial, but will give you a good basic working knowledge of the problem set and some viable approaches to the subject.
-- Marc
wikimedia-l@lists.wikimedia.org