This is a <i>huge</i> issue. We really need leaders to start being aggressive with bringing down the variation. It's damaging the benefit of using TLS at all, and I'd argue browser vendors would be making their users safer by having browsers force HTTP (or outright reject) on websites that aren't maintained enough to do TLS1.2 than allowing HTTPS and ultimately hurting the whole ecosystem.<p>I don't see a mention of timing in this paper, either. I suspect that it is another viable identifier. After accounting for latency, the speed of the response can give you an idea of what hardware they're using.
I don't really get the point of getting the user agent with this technique. How useful is it? It's not really fingerprinting. You can't identify a computer uniquely. Pretty much all iphones have the same user agent.