> To make matters worse for Drupal security records, the vulnerability is being actively exploited hours after the patch was released by the Drupal core team.
This is true for Drupal 7, but not for Drupal 8. Nothing in wild has surfaced regarding SA-CORE-2018-004 for D8 yet.
I started looking at trying to write an implementation of the protocol documented here: https://ssbc.github.io/scuttlebutt-protocol-guide/. I was surprised just how little information exists on the handshake and message exchange protocols. The reference implementations of both seem quite immature.
Was there no existing protocol for sending P2P messages between clients this could have been built on top of?
This is true for Drupal 7, but not for Drupal 8. Nothing in wild has surfaced regarding SA-CORE-2018-004 for D8 yet.