README.md: add info about Marvin Attack (RUSTSEC-2023-0071) (#391)

References: - #19 - https://rustsec.org/advisories/RUSTSEC-2023-0071.html - https://people.redhat.com/~hkario/marvin/
RustCrypto · Nov 28, 2023 · 5d45065 · 5d45065
1 parent ac108c9
commit 5d45065
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -65,16 +65,19 @@ There will be three phases before `1.0` 🚢 can be released.
     - [ ] Fuzz testing
     - [ ] Security Audits
 
-## Security Notes
+## ⚠️Security Warning
 
 This crate has received one [security audit by Include Security][audit], with
 only one minor finding which has since been addressed.
 
 See the [open security issues] on our issue tracker for other known problems.
 
-Notably the implementation of [modular exponentiation is not constant time],
+~~Notably the implementation of [modular exponentiation is not constant time],
 but timing variability is masked using [random blinding], a commonly used
-technique.
+technique.~~ This crate is vulnerable to the [Marvin Attack] which could enable
+private key recovery by a network attacker (see [RUSTSEC-2023-0071]).
+
+You can follow our work on mitigating this issue in [#390].
 
 ## Minimum Supported Rust Version (MSRV)
 
@@ -118,3 +121,6 @@ dual licensed as above, without any additional terms or conditions.
 [open security issues]: https://github.com/RustCrypto/RSA/issues?q=is%3Aissue+is%3Aopen+label%3Asecurity
 [modular exponentiation is not constant time]: https://github.com/RustCrypto/RSA/issues/19
 [random blinding]: https://en.wikipedia.org/wiki/Blinding_(cryptography)
+[Marvin Attack]: https://people.redhat.com/~hkario/marvin/
+[RUSTSEC-2023-0071]: https://rustsec.org/advisories/RUSTSEC-2023-0071.html
+[#390]: https://github.com/RustCrypto/RSA/issues/390