Popular Dating Site Has No Love for Strong Security

Back in 2012, EFF first called out OKCupid for failing to safeguard user data by not implementing HTTPS site-wide.

Three years later, OKCupid still hasn’t fixed the problem. For users who haven’t upgraded to paid accounts, their emails, chat sessions, searches, clicked links, pages viewed, and usernames are transmitted over the Internet in unencrypted plaintext, where they can be intercepted and read by anyone on the network.

"HTTPS" is standard web encryption that ensures information sent and received online is encrypted. OKCupid enables some HTTPS encryption on the site—for example, for paid users and during initial log-in. But OKCupid does not enable HTTPS across the entire site. This means that while OKCupid doesn’t leak passwords entered during log in, it does leak a lot of other data about most users.

This data can be extremely sensitive. OKCupid includes survey questions to help match users with likely mates, and those questions can delve into deeply personal territory. OKCupid regularly asks users about illegal drug use, sexual preferences and history, religious beliefs, and much more.

Infuriating? We think so. And so do our friends at Fight for the Future. They just launched a new campaign to pressure the company into doing the right thing. They’ve got a public petition demanding the company protect users by adopting standard security practices like HTTPS encryption. Add your name to their petition. (See privacy policy).