Great to hear that pipelining is already in use! I guess HTTPS plus pipelining
could mean that file size is no longer reliably readable for the network
observer. I've never profiles TLS and pipelining to know if there are still
visible signatures that would let the network observer find the borders of file
downloads, so I can't personally say for sure that padding would not still be
useful.
I agree that padding to something like 1MB would be required to strip out all
size metadata. A small amount of padding would obscure a lot of metadata since
there are many packages that are close to the same size. I've also been
thinking about general fingerprintability, not just detecting whether a specific
security update is being applied. The general pattern of packages, could be
enough to identify a lot of boxes.
I was thinking this was a low hanging fruit. If it is not, and you don't want
to track this, I'm fine with it being closed.
OpenSSL does Record Padding also:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
