I don't mean to downplay the issue, but why would LGBT-hostile nation-states target Grindr's infrastructure when it's much easier to detect users at the network level based on TLS SNI (since encrypted SNI is still not a thing thanks to corporate influence)?
I'm sure a government could detect that a citizen visited grindr.com, but it'd be harder to guarantee that they actually had intent to commit "crimes" without access to unencrypted internal messages.
I'm also concerned about antagonist nation state that gets the personal emails of top officials at Department of Defense. Goes through a targeted list in an attempt to find out who's a member. And if a match found, then engage in a blackmail scheme for secret information.
> I'm sure a government could detect that a citizen visited grindr.com, but it'd be harder to guarantee that they actually had intent to commit "crimes" without access to unencrypted internal messages.
Why would that hypothetical government care about that? Just lock everyone up!
You're assuming the attackers are that sophisticated. With an attack this simple it could be exploited by a group of thugs a local police station (with maybe a "computer savvy friend") logging into local accounts to see if they can find anyone they recognize.
Blackmail wise, there is an even bigger difference. "I know you use grindr" vs "this is your last conversation on grindr". These have very different credibility and impact when leaked.
