@ev does the problem of exposing private message data only appear in lite clients? - @bobhaugen

This should be true now in the latest versions of ssb-server.

However, between March and September 2018 it was possible to request private messages from friends over ssb-ws.

While it's unlikely that use this attack over ssb-ws, I think it's wise for the current ssbc to disclose that private messages could have been insecure during this time.

But @Christian Bundy your merge referenced in https://github.com/ssbc/ssb-ws/pull/15#issuecomment-469061078 fixes the vulnerability in the server but also kills lite clients?

Yes, one way to fix this vulnerability is to kill lite clients.

Another way would be to disable private message indexing. This is the solution that I'd prefer, if I'm to continue to use the latest ssb-server.