Should compression be opt-in?

[lpirl]

According to this thread, compression can be vulnerable to CRIME/BREACH attacks (if the encrypted data carries public data as well).

I am not into crypto but I guess compression should be opt-in, at least, shouldn't it?

(This issue was migrated here from dev-sec/ansible-ssh-hardening#90)

[artem-sidorenko]

@lpirl thanks for raising this question

@atomic111 opinion?

[atomic111]

@lpirl we can add the attribute, but the default value should be no. there was some vulnerabilities in the zlib compression. my approach is to reduce attack surface and only activate features that you relly need. i agree to the thread, that it would be really hard to exploit this flaw. My recommendation is to disable the compression stuff.

[lpirl]

@atomic111 right, I completely agree with your comment why it should be turned off – even if it is not a big thing.

So you say including the attribute is not crucial since it is disabled per default anyway?

I'd expect that explicitly disabling compression would suggest users/admins that it is generally a good idea to disable it since the hardening profile disabled it explicitly.

[atomic111]

@lpirl perfect.

[sgupta]

Looks there is no more discussion on this but just checking if option to disable compression added in future releases.

[chris-rock]

Any PR to get this option in is welcome!