> What do you think of including a header? Is there a way to find out > from the encrypted traffic where the header ends and where the body > starts?
For a typical request they are in separate SSL records and someone running a packet capture can tell when the headers or body has grown. We could arrange for the headers to always span an SSL record, and put a variable length one at the bottom -- but that only helps if the secret and request data are in the first frame.
