Stopping CRIME Attacks
This article by Dan Goodin appears to cover the most facts about the CRIME attack on SSL/TLS. It answers my first question about what the acronym means; CRIME is short for “Compression Ratio Info-Leak Made Easy.”
It also confirms the attack is performed when the communication uses TLS compression. My understanding is that TLS compression is used in SPDY, which is an open networking protocol used by both Google and Twitter.
There is good news. Microsoft Internet Explorer, Google Chrome and Mozilla Firefox are believed to be immune from the attack as IE never supported SPDY, and Chrome and Firefox have been patched. There may be issues with mobile browsers, but that is still to be confirmed.
The CRIME attack will only work when a vulnerable browser or application is connected to a website that supports TLS compression or SPDY. So, to protect your users, you should disable SPDY or TLS compression from your website.