colinmollenhour,

The variable length was to support re-using this extension for Path MTU Discovery on the UDP side of things (where you need to send messages of increasing length up to the max MTU until you see a packet drop, then you know the smallest MTU along the entire path). The addition of a separate random padding presumably keeps the length field from becoming a vector for a known-plaintext attack. Not sure the purpose of a padding before the addition of yet another length header (beyond {,D}TLSPlaintext.length), except maybe to keep the reply to your heartbeat small while continually increasing the size of the packets while discovering Path MTU in UDP.

However, the length field may remain a vector for known-plaintext attacks since the default padding length is not randomized, but is set to 16 bytes in both request and response when not doing Path MTU Discovery. So the length field can become known by taking the length of the ciphertext and subtracting 19 (3 bytes for header, 16 bytes for padding).