Drop compression from the modern policy

mozilla / ssh_scan_api

An API for ssh_scan (https://github.com/mozilla/ssh_scan) and the backend API service for the Mozilla SSH Observatory (https://observatory.mozilla.org/)

31 stars 8 forks source link

Drop compression from the modern policy #34

Closed claudijd closed 7 years ago

claudijd commented 7 years ago

This really doesn't have any security implications, and we might have configuration limitations with openssh (the most popular ssh lib).

By removing it, we will effectively not care what they have for compression settings.

claudijd commented 7 years ago

/cc @april

april commented 7 years ago

Note that I can always just ignore it, but having the policy match reflect security is probably a good thing. If compression ever becomes a security hazard, we can always add it in.

claudijd commented 7 years ago

This is the bug for compression security relevance research (https://github.com/mozilla/ssh_scan/issues/42)