Description of issue or feature request:

#781 updated tuf's downloader module to use requests instead of custom networking code, to fix issues with HTTPS proxies.

This change, however, deprived TUF of a way to prevent a certain kind of slow retrieval attack, where the attacker sends bytes below a minimum average speed.

This attack can not be prevented with the timeout parameters provided by requests, which are:

• connect timeout (max # of seconds to establish connection with server)
• read timeout (max # of seconds between bytes sent from the server)

Current behavior:
Cannot reliably enforce minimal average download speed and thus is vulnerable to slow retrieval attacks.

Expected behavior:
Reinstate full protection against slow retrieval attacks

Possible ways of fixing are

• report issue to requests and ask them to fix it, or
• switch to equally well-established and feature-rich requests-alternative that supports non-blocking I/O

Note: The comments in #781 have more ways of addressing this issue and also discuss whey they are not viable. Consider reading up on the discussion when working on this issue.