Tramp disables SSH host key checks by setting
GlobalKnownHostsFile=/dev/null, UserKnownHostsFile=/dev/null, and
StrictHostKeyChecking=no in its default method configuration. These
settings allow attackers to intercept connections to remote hosts, sniff
passwords, and cause other mischief. I don't think we should ship an
insecure configuration.