[thurn]

I'm not sure what motivates this comment... the issue at hand is certainly not a vulnerability in the SPDY protocol.

[protobluffers]

"CRIME works only when both the browser and server support TLS compression or SPDY"

If it would make more sense, then s/protocol/implementation/g or whatever you need to do to make sense of this.

How ever you choose to frame it, the targets are TLS and SPDY.

[tptacek]

Huh? SPDY uses TLS. The target is basically "web browsers".

[anonymous]

"web browsers" that support TLS compression or SPDY (which uses TLS compression)

It's quite possible to use a browser that supports neither. Indeed I'm using one right now.

[newman314]

Does the SPDY spec require TLS compression? IIRC, TLS is needed. Hence, SPDY+http compress+no TLS compression is workable, no? It's not ideal but would still work...