{ "type": "edit", "branch": "%s7joiEBvcM+Jco0O5+IveZKBIKN0tLAMPELH9q6KCSQ=.sha256", "root": "%I6FaCzdXcKAiZp0LVhwVluDeDkhNPGQXEqNEkUFLq34=.sha256", "updated": "%s7joiEBvcM+Jco0O5+IveZKBIKN0tLAMPELH9q6KCSQ=.sha256", "original": "%s7joiEBvcM+Jco0O5+IveZKBIKN0tLAMPELH9q6KCSQ=.sha256", "text": "> @ev does the problem of exposing private message data only appear in lite clients? - [@bobhaugen](@iL6NzQoOLFP18pCpprkbY80DMtiG4JFFtVSVUaoGsOQ=.ed25519)\n\nThis should be true now in the latest versions of `ssb-server`. \n\nHowever, between March and September 2018 it was possible to request private messages from friends over `ssb-ws`.\n\nWhile it's unlikely that anyone used this attack over `ssb-ws`, I think it's wise for the current ssbc to disclose that private messages could have been insecure during this time.\n\n> But @Christian Bundy your merge referenced in https://github.com/ssbc/ssb-ws/pull/15#issuecomment-469061078 fixes the vulnerability in the server but also kills lite clients?\n\nYes, one way to fix this vulnerability is to kill lite clients. \n\nAnother way would be to disable private message indexing. This is the solution that I'd prefer, if I'm to continue to use the latest ssb-server.", "mentions": [ { "link": "@iL6NzQoOLFP18pCpprkbY80DMtiG4JFFtVSVUaoGsOQ=.ed25519", "name": "bobhaugen" } ] }