
Tinder Lack of Encryption Raises Privacy Concerns - searchencrypt
https://www.wired.com/story/tinder-lack-of-encryption-lets-strangers-spy-on-swipes/
======
nasalgoat
I remember the early days of Tinder when they would allow unauthenticated API
calls from anywhere and returned location information accurate to a few feet.

This doesn't seem like much has changed.

------
yourkin
While no app should ever leak data, I'm skeptical of a lot of those
"concerns". Effort / effect seems to be in a non-practical area to justify
even an attempt at data-snooping.

In general reading infosec news it might seem that everything these days is so
insecure and vulnerable to the point where "if you have something valuable to
anyone else they'll get it eventually" might seem to be mostly true.

On the other hand in real news on the individual level of hacks (not speaking
of viruses and the like here) there's almost never anything apart from the
occasional "dumb" hack with nothing more sophisticated than a guessed or
fished password for instance, without any further effort giving the hacker
access to a trough of invaluable data.

I don't understand this discrepancy, can someone with the know in the security
industry say if anyone without "top secret" data or not being a VIP character
even bother about the "concerns" raised in most instances, apart from
following basic security practices, i.e. updating often, using strong
passwords, not entering data to phishing sites?

------
gregoriol
While the images over HTTP seems really trivial to fix and can be considered
as a "big mistake" from the devs, the other point in this article about the
number of bytes is trickier: wondering if any other HTTPS traffic could be
"guessed" like that (likes on facebook or instagram? ...), any other known
case of that kind? how would one protect against that?

~~~
ikawe
padding the network traffic.

------
bouvin
I'm not interested in their product, but if I were, I think the thought of the
amount of intimate data that Tinder collects from its users would keep me well
away.

------
firloop
I vote the URL be changed to [https://www.wired.com/story/tinder-lack-of-
encryption-lets-s...](https://www.wired.com/story/tinder-lack-of-encryption-
lets-strangers-spy-on-swipes/) which has a better write up and doesn't have
infuriating scroll behavior

~~~
sctb
Thanks! We've updated the link from [https://choosetoencrypt.com/news/tinder-
lack-encryption-rais...](https://choosetoencrypt.com/news/tinder-lack-
encryption-raises-privacy-concerns/).

------
IntronExon
I think that it’s possible they realize privacy concerns are not foremost in
the minds of people looking to hook up with perfect strangers. I would guess
that “random hookup” and “serious about security” will tend to be mutually
exclusive.

~~~
walrus01
yes, but inexcusable on the part of the tinder software developers, IMHO,
considering the very low technical/knowledge barrier to entry to do proper
TLS1.2 everywhere now.

~~~
natethinks
You assume the tinder devs have the freedom to work on what they want to. As
frustrating as it is, in big corporate engineering shops, you are paid to do
what the execs want to be done, not what you know needs doing.

~~~
walrus01
Okay, so whatver CTO thinks this is acceptable needs to be shown the door.

