Add slow retrieval disclaimer

Since theupdateframework#781 we only provide limited protection against slow retrieval attacks. So far this has only been discussed in above issue and hinted at by a disabled test and a code comment in that test. This change adds a corresponding disclaimer to a more prominent place, i.e. the list of attacks in SECURITY.md.
lukpueh · Oct 3, 2019 · 75e5351 · 75e5351
1 parent 9fde70f
commit 75e5351
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
@@ -20,7 +20,8 @@ snapshot metadata, and thus new updates could never be downloaded.
 
 * **Endless data attacks**. An attacker responds to a file download request with an endless stream of data, causing harm to clients (e.g. a disk partition filling up or memory exhaustion). 
 
-* **Slow retrieval attacks**. An attacker responds to clients with a very slow stream of data that essentially results in the client never continuing the update process. 
+* **~~Slow retrieval attacks~~**. An attacker responds to clients with a very slow stream of data that essentially results in the client never continuing the update process.\
+**_NOTE: The TUF reference implementation currently provides only limited protection against slow retrieval attacks (see [tuf#781](https://github.com/theupdateframework/tuf/pull/781))._**
 
 * **Extraneous dependencies attacks**. An attacker indicates to clients that in order to install the software they wanted, they also need to install unrelated software. This unrelated software can be from a trusted source but may have known vulnerabilities that are exploitable by the attacker.