This is the paragraph on OpenID security from Wikipedia. Are there any new updates about this, or any comments?
Security and phishing
Some observers have suggested that
OpenID has security weaknesses and may
prove vulnerable to phishing
attacks.[26][27][28] For example, a
malicious relying party may forward
the end-user to a bogus identity
provider authentication page asking
that end-user to input their
credentials. On completion of this,
the malicious party (who in this case
also control the bogus authentication
page) could then have access to the
end-user’s account with the identity
provider, and as such then use that
end-user’s OpenID to log into other
services.In an attempt to combat possible
phishing attacks some OpenID providers
mandate that the end-user needs to be
authenticated with them prior to an
attempt to authenticate with the
relying party.[29] This relies on the
end-user knowing the policy of the
identity provider. In December 2008,
the OpenID Foundation approved version
1.0 of the Provider Authentication Policy Extension (PAPE), which
“enables Relying Parties to request
that OpenID Providers employ specified
authentication policies when
authenticating users and for OpenID
Providers to inform the Relying
Parties which policies were actually
used.”[30] Regardless, this issue
remains a significant additional
vector for man-in-the-middle phishing
attacks.Other security issues identified with
OpenID involve lack of privacy and
failure to address the trust
problem.[31]
This phishing attack still holds. If I (as a phisherman) sets up a page, I can link to my self-made (copied) Google login page and claim it’s the real one. I don’t even need to implement OpenID, I can just say that I do.
So yes, this attack is still very much possible. The solution is to educate computer users: they should check the domain name, make sure the login page uses SSL and that the SSL certificate is for the correct domain.