Configuration Medium Attackers may be able to exploit the CRIME attack to obtain session cookies or other sensitive data. TLS Compression can be disabled in the server configuration. Consult documentation for the precise steps. The Mozilla Server Side TLS configuration guide includes instructions for disabling TLS/SSL compression in server configuration (see link below). The HTTPS server must likely be restarted for configuration changes to take effect. Vega detected that TLS compression is enabled by the server. This can be leveraged to carry out a chosen-plaintext attack through observing the compression ratio of data sent back from the server. If the attacker can induce a target user into making specific requests, it may be possible for them to obtain their session cookie. Server Side TLS (Mozilla) CRIME attack against TLS HTTPS (Wikipedia)