Comment by tlb
11 years ago
HTTPS does encrypt both request and response.
However, you can figure out what pages on a large public site like Wikipedia people are reading over HTTPS, based on statistical traffic analysis, because you can see the size of the request, page, and each of the images. Combined with link following analysis, you can make a fairly accurate guess as to what people are reading.
I believe that the combination of HTTP/2 and TLS length-hiding makes that attack impractical. Though admittedly we're still years away from widespread deployment of those two technologies.