Data compression reduces the number of bytes contained in a file or data stream by removing redundant information. CRIME forces a web browser to compress and encrypt requests that contain attacker-controlled data that is combined with the cookie secret. If one of the requests produces fewer encrypted network packets, that's an indication there's more redundancy in the request, and hence the attacker data and the secret data have more information in common. CRIME algorithms decrypt the session cookies by guessing their contents byte by byte. The attacks don't require any browser plugins, and the use of JavaScript isn't necessary, although it does make the brute-force attack faster.
