CRIME relies on lots of things, one of which is a browser that makes requests for offsite resources automatically. Sure, Chrome does that, but not all broswers do, and certainly not simple http clients unless you're spidering.
It's pretty easy to not be vulnerable to CRIME, but not when you use SPDY; since SPDY was compressing everything. The protocol takes away the control that the HTTP 1.1 user had through specifying desired options in headers, such as whether or not to use compression. And compression was never the default in HTTP/HTTPS.
I wish that I liked SPDY. It's easier to go along with the crowd. But I just don't. IMO, it's something that should stay internal to Google and not be pushed on the rest of the web. Exactly for reasons like this exploit. It's way too easy to screw this stuff up.
SPDY compresses everything, together, by default.
CRIME relies on lots of things, one of which is a browser that makes requests for offsite resources automatically. Sure, Chrome does that, but not all broswers do, and certainly not simple http clients unless you're spidering.
It's pretty easy to not be vulnerable to CRIME, but not when you use SPDY; since SPDY was compressing everything. The protocol takes away the control that the HTTP 1.1 user had through specifying desired options in headers, such as whether or not to use compression. And compression was never the default in HTTP/HTTPS.
I wish that I liked SPDY. It's easier to go along with the crowd. But I just don't. IMO, it's something that should stay internal to Google and not be pushed on the rest of the web. Exactly for reasons like this exploit. It's way too easy to screw this stuff up.