The following article was posted to The Web Security Mailing List earlier today.
"Recently, the world saw The Pirate Bay offering SSL encryption on their server.
This means that your ISP won't know anymore which torrent you are
downloading, right? Wrong.
HTTPS is quite useless for protecting static and public content. By static, I do mean the
.torrent file itself. It is
always the same. By public,
I do mean than one doesn't need any kind of authentication to pick up
the content. It's always the same, for everyone. For crawlers,
So, one could easily index (a portion of) The Pirate Bay torrent database by the Content-Length. Then, one could intercept some encrypted traffic between some machine(s) within his/her network and the
server. Knowing both (encrypted) request and response lengths, it is
possible to get a quite reliable list of matches from the previously
indexed torrent list."
Read more of 'The Pirate Bay un-SSL': http://sysd.org/stas/node/220