However, if we generate a third request, but with "cookie = 156" instead of "cookie = 456," the compression algorithm will now replace the "cookie = 1" part because it will match "cookie = 1" from the existing "cookie = 123" string. The resulting request will be shorter than the previous two requests because a longer part was replaced.

If we were to assume that we didn't know the 123 value from the first string in advance, the variation in compression ratio for the third request will indicate that we just guessed the first character of that value -- 1.

We can then start the same process again, but now using the already known character and trying different variants for the second one until we see a new variation in compression ratio. CRIME is based on the same principle.

It uses JavaScript or plain HTML code to force the victim's browser to repeatedly initiate requests to the targeted HTTPS website. The attack code can be loaded into the victim's browser by tricking the victim into visiting a compromised or malicious website or by injecting it into the victim's legitimate HTTP traffic when connected over an open wireless network.

The attack code can't read the session cookie included in the requests because of security mechanisms in the browser. However, it can control the path of every new request and can insert different strings into it in an attempt to match the value of the cookie.