Randomize non-pipelined requests to defend against traffic fingerprinting

According to Martin Henze (who works with Andriy Panchenko), the defense in #3914 (closed) is inadequate due to the fact that many sites forcibly disable pipelining.

He implemented a defense that randomizes non-pipelined HTTP requests as well, but it may need some cleanup. It also needs testing against their framework still, I believe.