Deep SSL/TLS Vulnerability Test
This report provides a deep analysis of the SSL/TLS configuration of Web.grindr.com. It checks for protocol support, cipher strength, and known vulnerabilities.
Scan Results
Testing all IP addresses (port 443): 104.16.234.5 104.16.235.5 ----------------------------------------------------- Start 2026-01-25 16:55:39 -->> 104.16.234.5:443 (web.grindr.com) <<-- Further IP addresses: 104.16.235.5 rDNS (104.16.234.5): -- Service detected: HTTP Testing for server implementation bugs No bugs found. Testing HTTP header response @ "/" HTTP Status Code 200 OK HTTP clock skew +272 sec from localtime HTTP Age (RFC 7234) 272 IPv4 address in header Set-Cookie: __cf_bm=cWZ03UZTYp4uxm84VuAMM0P2Yc4FD51Anbx.g_O_eHQ-1769360163-1.0.1.1-LLhtVaTOntH3u4arAr93JbrHFjqznH3AiJ0EBmBggxoiN29c98BkW22Zqxy9gZjgO1_pNMI3.mBEQlw4rK3fl_HrSA9ikiTAO0ffQ3IOvPw; path=/; expires=Sun, 25-Jan-26 17:26:03 GMT; domain=.grindr.com; HttpOnly; Secure; SameSite=None (check if it's your IP address or e.g. a cluster IP) Strict Transport Security 365 days=31536000 s, includeSubDomains Public Key Pinning -- Server banner cloudflare Application banner -- Cookie(s) 1 issued: 1/1 secure, 1/1 HttpOnly Security headers Content-Security-Policy: default-src 'none'; script-src 'self' https://connect.facebook.net/en_US/sdk.js https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js ttps://cdn.cookielaw.org https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/ https://global.ketchcdn.com https://cdn.ketchjs.com 'sha256-z4Qgs5v9Qb+YFBfETRjCILQQ422e2YC9CtzqOfzFO/g=' sha256-6bkR/wIR+QfzjzVBBkstWKSy5GDomfDysux7OC+LQBI='; ont-src 'self'; manifest-src 'self'; img-src 'self' data: blob: https://cdns.grindr.com https://*.giphy.com https://*.cloudfront.net https://cdn.cookielaw.org https://braze-images.com https://twemoji.maxcdn.com https://cdn.jsdelivr.net https://www.facebook.com/tr/ https://global.ketchcdn.com; media-src 'self' data: blob: https://cdns.grindr.com https://*.cloudfront.net; connect-src 'self' wss://grindr.mobi/v1/ws https://web.grindr.com wss://chat.grindr.com:2443 wss://presence.grindr.com grindr.com https://*.mapbox.com https://*.giphy.com https://*.amplitude.com https://api.dev2.grindr.io https://*.ingest.sentry.io https://cdn.cookielaw.org https://geolocation.onetrust.com https://*.braze.com https://*.google.com/recaptcha/ https://*.gstatic.com/recaptcha/ https://*.recaptcha.net/recaptcha/ https://grindr.mobi/ https://grindr-privacy.my.onetrust.com/request/v1/consentreceipts ttps://www.facebook.com/platform/ https://www.facebook.com/x/oauth/ https://global.ketchcdn.com; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; frame-ancestors 'none'; object-src 'none'; child-src 'self' blob:; frame-src 'self' https://recaptcha.google.com/recaptcha/ https://www.recaptcha.net/recaptcha/; Access-Control-Allow-Origin: https://web.grindr.com Access-Control-Allow-Credentials: true Cache-Control: private, no-cache, no-store, must-revalidate Reverse Proxy banner via: 1.1 26ba804cbae0bbdf298f43f10bb64ed4.cloudfront.net (CloudFront) x-cache: Hit from cloudfront Testing vulnerabilities Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested Can be ignored for static pages or if no secrets in the page POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=BBF4AE018A511C174D603A0DE248D4CD89A09815BECA7D92E28106AB44D4D40D LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses obsolete cipher block chaining ciphers with TLS, see server prefs. Winshock (CVE-2014-6321), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Done 2026-01-25 16:56:23 [ 53s] -->> 104.16.234.5:443 (web.grindr.com) <<-- ----------------------------------------------------- Start 2026-01-25 16:56:23 -->> 104.16.235.5:443 (web.grindr.com) <<-- Further IP addresses: 104.16.234.5 rDNS (104.16.235.5): -- Service detected: HTTP Testing for server implementation bugs No bugs found. Testing HTTP header response @ "/" HTTP Status Code 200 OK HTTP clock skew +316 sec from localtime HTTP Age (RFC 7234) 316 IPv4 address in header Set-Cookie: __cf_bm=1bU5Aqodq.ealq_qS8u5.8KeYF.uL0oG8znFPR7Gl.Y-1769360207-1.0.1.1-FX.Z7dspdAqBI0Apf4jeRzMhnavaxDSKtJxjGaGA.6lvBviuDqeGE92gTjHtTdRz0shqFBNcHtc_rlpFQgxdcQWcDdocKPj5CcgSghYyMJI; path=/; expires=Sun, 25-Jan-26 17:26:47 GMT; domain=.grindr.com; HttpOnly; Secure; SameSite=None (check if it's your IP address or e.g. a cluster IP) Strict Transport Security 365 days=31536000 s, includeSubDomains Public Key Pinning -- Server banner cloudflare Application banner -- Cookie(s) 1 issued: 1/1 secure, 1/1 HttpOnly Security headers Content-Security-Policy: default-src 'none'; script-src 'self' https://connect.facebook.net/en_US/sdk.js https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js ttps://cdn.cookielaw.org https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/recaptcha/ https://global.ketchcdn.com https://cdn.ketchjs.com 'sha256-z4Qgs5v9Qb+YFBfETRjCILQQ422e2YC9CtzqOfzFO/g=' sha256-6bkR/wIR+QfzjzVBBkstWKSy5GDomfDysux7OC+LQBI='; ont-src 'self'; manifest-src 'self'; img-src 'self' data: blob: https://cdns.grindr.com https://*.giphy.com https://*.cloudfront.net https://cdn.cookielaw.org https://braze-images.com https://twemoji.maxcdn.com https://cdn.jsdelivr.net https://www.facebook.com/tr/ https://global.ketchcdn.com; media-src 'self' data: blob: https://cdns.grindr.com https://*.cloudfront.net; connect-src 'self' wss://grindr.mobi/v1/ws https://web.grindr.com wss://chat.grindr.com:2443 wss://presence.grindr.com grindr.com https://*.mapbox.com https://*.giphy.com https://*.amplitude.com https://api.dev2.grindr.io https://*.ingest.sentry.io https://cdn.cookielaw.org https://geolocation.onetrust.com https://*.braze.com https://*.google.com/recaptcha/ https://*.gstatic.com/recaptcha/ https://*.recaptcha.net/recaptcha/ https://grindr.mobi/ https://grindr-privacy.my.onetrust.com/request/v1/consentreceipts ttps://www.facebook.com/platform/ https://www.facebook.com/x/oauth/ https://global.ketchcdn.com; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; frame-ancestors 'none'; object-src 'none'; child-src 'self' blob:; frame-src 'self' https://recaptcha.google.com/recaptcha/ https://www.recaptcha.net/recaptcha/; Access-Control-Allow-Origin: https://web.grindr.com Access-Control-Allow-Credentials: true Cache-Control: private, no-cache, no-store, must-revalidate Reverse Proxy banner via: 1.1 b0ba3f832dacd800b523d77924ab7db0.cloudfront.net (CloudFront) x-cache: Hit from cloudfront Testing vulnerabilities Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) potentially NOT ok, "gzip" HTTP compression detected. - only supplied "/" tested Can be ignored for static pages or if no secrets in the page POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) No fallback possible (OK), no protocol below TLS 1.2 offered SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services, see https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=BBF4AE018A511C174D603A0DE248D4CD89A09815BECA7D92E28106AB44D4D40D LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) not vulnerable (OK), no SSL3 or TLS1 LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses obsolete cipher block chaining ciphers with TLS, see server prefs. Winshock (CVE-2014-6321), experimental not vulnerable (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Done 2026-01-25 16:57:07 [ 97s] -->> 104.16.235.5:443 (web.grindr.com) <<-- ----------------------------------------------------- Done testing now all IP addresses (on port 443): 104.16.234.5 104.16.235.5
About this Scan
This scan uses testssl.sh to check for:
- Protocols: SSLv2, SSLv3, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3
- Vulnerabilities: Heartbleed, POODLE, FREAK, Logjam, DROWN, etc.
- Cipher Suites: Weak ciphers, perfect forward secrecy (PFS) support.