ssh-baseline icon indicating copy to clipboard operation
ssh-baseline copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

Should compression be opt-in?

Open lpirl opened this issue 8 years ago • 6 comments
trafficstars

According to this thread, compression can be vulnerable to CRIME/BREACH attacks (if the encrypted data carries public data as well).

I am not into crypto but I guess compression should be opt-in, at least, shouldn't it?

(This issue was migrated here from dev-sec/ansible-ssh-hardening#90)

lpirl avatar Jan 23 '17 10:01 lpirl

@lpirl thanks for raising this question

@atomic111 opinion?

artem-sidorenko avatar Jan 24 '17 18:01 artem-sidorenko

@lpirl we can add the attribute, but the default value should be no. there was some vulnerabilities in the zlib compression. my approach is to reduce attack surface and only activate features that you relly need. i agree to the thread, that it would be really hard to exploit this flaw. My recommendation is to disable the compression stuff.

atomic111 avatar Feb 05 '17 10:02 atomic111

@atomic111 right, I completely agree with your comment why it should be turned off – even if it is not a big thing.

So you say including the attribute is not crucial since it is disabled per default anyway?

I'd expect that explicitly disabling compression would suggest users/admins that it is generally a good idea to disable it since the hardening profile disabled it explicitly.

lpirl avatar Feb 05 '17 10:02 lpirl

@lpirl perfect.

atomic111 avatar Feb 05 '17 14:02 atomic111

Looks there is no more discussion on this but just checking if option to disable compression added in future releases.

sgupta avatar Mar 14 '18 20:03 sgupta

Any PR to get this option in is welcome!

chris-rock avatar Mar 14 '18 20:03 chris-rock