Giulio,
How about a three-part attack consisting of a web service that batches the fetching of favicons in a secure fashion, a simple security preference, and the ability for advanced users to manually enter data?
Yes, I know this does still leave one small whole were data can be gathered regarding a user with the web service, but I'll address that in a moment.
First, add a data type to the list (Text, URL, Date, Password) for FavIcon. If a user enters an already-created data:// base64 string, they could then manually associate the favicon they want with the direct login they want. For advanced users, that would provide an even higher degree of control, including the ability for some fun customization.
Next, when a new card/direct-login needs a favicon (not manually provided), have the client create an encrypted request for the domain's favicon that gets uploaded to Clipperz. It is my understanding that the server first verifies a person's right to data before assigning their user ID in the session. Even though the server doesn't know what data is contained inside the cards, it then knows that session X is authenticated for data-set Y. This could be done in the same method as that handshake, encrypting the request using a key provided by the (already authenticated) server.
Then have the server batch all the requests to happen at once during a regular interval. Make sure there is enough time between batches so that multiple requests can build up. That way outside loggers cannot associate which incoming connection to the server requested which favicon at what time. Encrypt the data:// string using the same key as originally used for each request to provide the data securely back to the client. Additionally, the server can then internally cache the favicon in case any other user ID makes the same request, drastically reducing the traffic load to the favicon file and speeding up the service as a whole.
The only thing this does *not* protect against is an unscrupulous Clipperz server collecting a list of which user ids requested which favicons, although it still doesn't say who the user id is in the real world, or how many cards they have for a given domain. This could be further minimized by putting a simple on/off toggle in the preferences (account) section of the application to disable requests for favicons altogether.
Technically speaking, the fact that Clipperz requests all the favicons every times it loads could be seen as a current security risk, since a simple packet-sniffer can detect those requests combined with the fact that they were all requested in a short period of time right after connecting to a Clipperz server, which very clearly implies that a person has at least one direct login to said site.
What do you think?
-Jason Schmidt