BEAST -- a different attack against SSL/TLS developed by Rizzo and Duong last year -- is potentially more dangerous than CRIME because it can't be fixed with a patch, Ristic said. You have to fix it manually, he said.

According to SSL Pulse data, more than 70 percent of the world's top 180,000 HTTPS-enabled websites are still vulnerable to BEAST, Ristic said.

"Gmail and Twitter use SPDY, Dropbox and Yahoo Mail use TLS compression," Rizzo said. "We contacted Dropbox and they disabled compression yesterday."

In the future SPDY can be redesigned to use compression but avoid CRIME attacks, Rizzo said. In fact, Google has already developed a solution for this, he said.

"TLS compression could be enabled for some applications protocols but enabling it for HTTP is problematic," Rizzo said.