The CRIME attack code, known as an agent, needs to be loaded inside the victim's browser. This can be done either by tricking the victim into visiting a rogue website or, if the attacker has control over the victim's network, by injecting the attack code into an existing HTTP connection.

CRIME doesn't require browser plug-ins to work; JavaScript was used to make it faster, but it could also be implemented without it, Rizzo said.

The attacker must also be able to sniff the victim's HTTPS traffic. This can be done on open wireless networks; on local area networks (LANs), by using techniques such as ARP spoofing; or by gaining control of the victim's home router through a vulnerability or default password.

For the attack to work, both the victim's client and the server hosting the targeted website need to support the vulnerable SSL/TLS feature, Rizzo said.

Rizzo confirmed that the HTTPS implementations on some popular websites are vulnerable to the attack, but declined to name any of them.