You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since #781 we
only provide limited protection against slow retrieval attacks.
So far this has only been discussed in above issue and hinted at
by a disabled test and a code comment in that test.
This change adds a corresponding disclaimer to a more prominent
place, i.e. the list of attacks in SECURITY.md.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Copy file name to clipboardExpand all lines: docs/SECURITY.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,8 @@ snapshot metadata, and thus new updates could never be downloaded.
20
20
21
21
***Endless data attacks**. An attacker responds to a file download request with an endless stream of data, causing harm to clients (e.g. a disk partition filling up or memory exhaustion).
22
22
23
-
***Slow retrieval attacks**. An attacker responds to clients with a very slow stream of data that essentially results in the client never continuing the update process.
23
+
***~~Slow retrieval attacks~~**. An attacker responds to clients with a very slow stream of data that essentially results in the client never continuing the update process.\
24
+
**_NOTE: The TUF reference implementation currently provides only limited protection against slow retrieval attacks (see [tuf#781](https://github.com/theupdateframework/tuf/pull/781))._**
24
25
25
26
***Extraneous dependencies attacks**. An attacker indicates to clients that in order to install the software they wanted, they also need to install unrelated software. This unrelated software can be from a trusted source but may have known vulnerabilities that are exploitable by the attacker.
0 commit comments