Could you specify what this means? The stack has changed quite a bit in the past six months, so I want to make sure that we're talking about exactly the same thing. Sorry for all of the questions, it's just that I'm struggling to understand and reproduce the issue without having all of the details. I can see the bug being triggered on a website, but I can't find the source for that website to identify what's going on. - @Christian Bundy

Thanks for taking the time to look at this, it's helpful to have other opinions about what's going on here.

You're correct that the stack has changed a lot in the last six months, and I've had trouble keeping up because many of the changes haven't been explained or documented very well. I had a lot of trouble getting the network layer to work with the lite client, so ended reverting to scuttlebot @ lts.

If this doesn't effect the latest scuttlebot, then it'd be great to know if this issue only effects my clients and (I think) @regular's clients.

You're correct, I'm using decent-ws, which lets anyone connect to http://decent.evbogue.com/ or http://ssblist.com/ -- which would mean wider exposure than ssb-ws, which only allows your friends to connect with you via websockets.

We can go deeper into the design decisions behind decent-ws vs ssb-ws, and I understand that decent-ws is probably not supported by the ssbc.

github for ease of navigation: https://github.com/evbogue/decent-ws and here is the exact code that is running on my servers: https://github.com/evbogue/minsbot

My concern is that this vulnerability may have exposed private messages to friends between March 2018 and September 2018 when the network layer was implemented.

I did not really understand why the network layer was being implemented. But, if it was implemented because of this vulnerability, I wonder if we should notify users that their private messages could possibly have been breached (by friends) between March 2018 and September 2018?

And of course, I would need to look into the security of lite clients, if this is the only kind of client that is effected by this issue.

An easy fix for me would to make it possible to disable private message indexing on the server.

Beyond this issue, it also concerns me that we're storing private messages in plain text from a security perspective. It'd be good to be able to easily turn this off.