How exactly does it work though? Yesterday I logged into a web site using OpenID, and noticed something very bad: they referred me to my OpenID provider (yahoo in that case), where I logged in, and then I was referred back.

This is BAD because it is a paradise for phishing. How can I be sure that a random website really forwards me to my openID provider, and not to a phishing site that looks exactly the same?

To be fair, most users might be logged into their OpenID site (or Facebook connect - isn't that essentially the same thing?) all the time, so they wouldn't need to enter login credentials on their "openId site". But overall, it made me think the only solution would be a browser plugin for handling the login stuff.

I don't know about other openid providers, but myopenid uses those crazy ssl certificates that are very pronounced in your url bar, pretty hard to phish imo

I don't care so much for the ssl certificates as a protective measure, to be honest. Maybe I should invest more time to understand them, but my current impression is:

- there are now ways to get ssl certificates for free for anyone. So it would be easy to get a certificate for myopenid, where the "i" is not an "i" but some exotic letter that looks the same (or something like that).

- ssl certificates often don't work correctly (setup in the wrong way), so clicking away the warning is becoming a nobrainer. Maybe there isn't even a way to set them up to work correctly across a web site with subdomains, I am not sure. I mean, not even the Chaos Computer Club got them working on their own web site...

Of course ssl certificates are still necessary, but they don't seem to be sufficient to me. I suppose even if I type in an URL directly I can be fooled (DNS servers hacked or whatever), but still.

Or Disqus.

Or Wordpress.

They don't already?