I want to give a brief update on the status of this vulnerability/bug.

Between @Christian Bundy @cryptix and I, we've determined this to have been an unintentional bug that was introduced when scuttlebot got private indexing, and fixed when the connections layer was introduced.

I think this means many of the folks out there who are using the latest scuttlebot are not effected, and should be able to consider their private messages secure. (Well, as secure as anyone should consider a highly experimental cryptography project that has not be audited by a neutral third party.)

I've taken the preventative step of turning off private messages in my publically served lite client at http://decent.evbogue.com/ , until I can figure out how to disable private message indexing and/or get it working well with the latest scuttlebot and the lite client.

If anyone else is using lite clients, you should consider doing the same -- if you're offering connections to peers who are not using the same public/private keypair as the server.

The only other team I know if who is using lite clients is @regular and @jfr, so ccing you guys to make sure you know about this bug.