CRIME was tested successfully with Mozilla Firefox and Google Chrome. However, other browsers could also be affected, Rizzo said.

Mozilla and Google have already prepared patches that block the attack but they have not yet been released, the researcher said.

Last year at Ekoparty, Rizzo and Duong presented an attack called BEAST (Browser Exploit Against SSL/TLS), which was also capable of decrypting HTTPS session cookies. That attack affected SSL 3.0 and TLS 1.0 when used with certain cipher suites.

Mitigating BEAST involved upgrading to TLS 1.1 or 1.2, the latest versions of the TLS protocol, or prioritizing unaffected RC4-based cipher suites for older versions of the protocol.

However, the mitigation solution doesn't work for CRIME because, in addition to exploiting a feature that is present in all versions of SSL/TLS, the attack is not dependent on a particular cipher, Rizzo said.