If you are tunneling between home (A) and "vpn" provider (B) that terminates your traffic and sends out it to the public internet, and you are browsing websites C and D, both sharing the ad / tracking site E. 1. It's easy for anyone observing traffic between A and B to deduce from the traffic patterns what kinds of requests you are exchanging between C and D, 2. It's easy for someone obsrving traffic between A and B, and colluding with tracking site E, to correlate your address at A with your browsing behaviour on sites C and D by correlating A-B flows with information gathered by E.
In the Mighty type architecture, the leaked signal from the flow between end user and Mighty servers will be harder to match to the HTTP(S) traffic based on packet timing and sizes. But not necessarily hard enough unless there are purpouseful andi-TA measures employed. Hence I said "potential" privacy advantages.
Both of these scenarios place equal amount of trust in service operator - the difference is in security is against other adversaries.
I don't think that there is much of a TA benefit -- you make a request (and let's assume it's just a packet count/timing analyzer) and 10 packets burst out of your device to Mighty, then 10 packets burst out from Mighty to the destination. How is that not equally analyzable?
> Both of these scenarios place equal amount of trust in service operator - the difference is in security is against other adversaries.
This is where I would strongly disagree. With a VPN they can analyze your endpoints, but assuming E2E encryption, they cannot see your actual packets. Whereas Mighty is definitionally a MITM browser, they can see everything. Therefore you are trusting Mighty incredibly more than a VPN provider.
> you make a request (and let's assume it's just a packet count/timing analyzer) and 10 packets burst out of your device to Mighty, then 10 packets burst out from Mighty to the destination
By my understanding, the web browser runs at the Mighty server farm and it's streaming it to you using a RDP or Stadia style system. So, it's more like you send 10-ish packets containing input events (like mouse motion and click) using the Mighty client protocol, and as a result the Mighty service does 150 web requests that happen due to loading the new web page (probably around 10k packets). While the page is loading, the Mighty service sends you screen updates that are again much different than the packets the Mighty service is receiving in response to the web requests.
Yes, these can still be temporally correlated, even though the correspondence is much more distant than in the VPN case (where you can just observe the similar sized packets). But there's potential to fix it rather easily, by eg using chaff traffic to the client in idle periods, and/or by pulsing updates out to all users to the service in sync, etc.
This is strictly worse for privacy than a VPN run by the same company, no?