CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

> and then somehow entice you to visit a specific web page while you have a secure session open to the target site, on the same browser

It's actually easier than that. When you visit *any* HTTP (non-secure) site, they can inject the necessary JavaScript code to carry out the attack.

> If the browser manufacturers didn't share private data across what ought to be separate sessions

Agreed. Personally I'd prefer restricting or policing how cross-domain requests are authenticated -- that would address many other attacks, too.

> "Anyone" with a BGP router cannot do this kind of thing

Right you are, but that's still way too many people and organizations to trust.