Effect of Pipelining and Multiplexing in Estimating HTTP/2.0 Web Object Sizes

HTTP response size is a well-known side channel attack. With the deployment of HTTP/2.0, response size estimation attacks are generally dismissed with the argument that pipelining and response multiplexing prevent eavesdroppers from finding out response sizes. Yet the impact that pipelining and response multiplexing actually have in estimating HTTP response sizes has not been adequately investigated. In this paper we set out to help understand the effect of pipelining and response multiplexing in estimating the size of web objects on the Internet. We conduct an experiment that collects HTTP response sizes and TLS record sizes from 10k popular web sites. We gather evidence on and discuss reasons for the limited amount of pipelining and response multiplexing used on the Internet today: only 29% of the HTTP2 web objects we observe are pipelined and only 5% multiplexed. We also provide worst case results under different attack assumptions and show how effective a simple model for estimating response sizes from TLS record sizes can be. Our conclusion is that pipelining and especially response multiplexing can yield, as expected, a perceivable increase in relative object size estimation error yet the limited extent of multiplexing observed on the Internet today and the relative simplicity of attacks to the current pipelining mechanisms hinder their ability to help prevent web object size estimation.