theupdateframework · joshuagl · Sep 30, 2020
@@ -32,10 +32,6 @@ A number of older releases were packaged by Vladimir V Diaz:
 
 In no particular order...
 
-- [ ] Provide protection against a class of slow retrieval attacks using long
-inter-byte delays, without sacrificing the use of clean, modern,
-production-quality HTTP libraries (requests currently).
-
 - [ ] Support ASN.1 metadata: loading, writing, signing, and verification.
 
 - [x] [CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/1351) badge.

@@ -20,9 +20,6 @@ snapshot metadata, and thus new updates could never be downloaded.
 
 * **Endless data attacks**. An attacker responds to a file download request with an endless stream of data, causing harm to clients (e.g. a disk partition filling up or memory exhaustion). 
 
-* **~~Slow retrieval attacks~~**. An attacker responds to clients with a very slow stream of data that essentially results in the client never continuing the update process.\
-**_NOTE: Due to limitations in a 3rd-party HTTP library, the TUF reference implementation currently provides only limited protection against slow retrieval attacks (see [tuf#932](https://github.com/theupdateframework/tuf/issues/932)). We plan to fix this in a future release._**
-
 * **Extraneous dependencies attacks**. An attacker indicates to clients that in order to install the software they wanted, they also need to install unrelated software. This unrelated software can be from a trusted source but may have known vulnerabilities that are exploitable by the attacker. 
 
 * **Mix-and-match attacks**. An attacker presents clients with a view of a repository that includes files that did not exist together on the repository at the same time. This can result in, for example, outdated versions of dependencies being installed.