HTTPS has whole series of side-channel leaks, which can be exploited to fingerprint the tunnelled protocol: many implementations don't add padding or active probing resistance.

Sizable communications with an uncommon IP can be singled out by netflow analysis.

But yes, it usually works.