http://www.theregister.co.uk/2010/03/23/side_channel_attacks_web_apps/ 

By Dan Goodin in San Francisco 
The Register
23rd March 2010

Google, Yahoo, Microsoft's Bing, and other leading websites are leaking 
medical histories, family income, search queries, and massive amounts of 
other sensitive data that can be intercepted even when encrypted, 
computer scientists revealed in a new research paper.

Researchers from Indiana University and Microsoft itself were able to 
infer the sensitive data by analyzing the distinct size and other 
attributes of each exchange between a user and the website she was 
interacting with. Using man-in-the-middle attacks, they could glean the 
information even when transactions were encrypted using the Secure 
Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access 
protocol.

"Our research shows that surprisingly detailed sensitive user data can 
be reliably inferred from the web traffic of a number of high-profile, 
top-of-the-line web applications" offered by Google, Yahoo, and Bing as 
well as the leading online providers of tax, health and investments 
services, which the researchers didn't name.

"An eavesdropper can infer the medications/surgeries/illnesses of the 
user, her annual family income and investment choices and money 
allocations, even though the web traffic is protected by HTTPS. We also 
show that even in a corporate building that deploys the up-to-date 
WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit 
outside the building to glean the query words entered into employees' 
laptops, as if they were exposed in plain text in the air."

[...]


___________________________________________________________
Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
http://conference.hitb.org/hitbsecconf2010dxb/