FWIW, neither does the TLS layer: because the video is all chunked into fixed-time-length segments, each video causes a unique signature of variable-byte-size segments, making it possible to determine which Netflix movie someone is watching based simply on their (encrypted) traffic pattern. Someone built this for YouTube a while back and managed to get it up to like 98% accuracy.
Did TLS 1.3 fix this with content length hiding? Doesn't it add support for variable-length padding that could prevent the attacker from measuring the plaintext content length? Do any major servers support it?
saurik|3 years ago
https://www.blackhat.com/docs/eu-16/materials/eu-16-Dubin-I-...
https://americansforbgu.org/hackers-can-see-what-youtube-vid...
nightpool|3 years ago