Hopefully I won't embarrass myself too much with this post, because I haven't really researched the ins and outs of OpenID. From using it a couple of times I got the impression that the concept has a big flaw, though.

Usually what happens when I try to sign up to a site with OpenID is that the site forwards me to my OpenID provider. Then I have to login to that OpenID provider's site and confirm to the OpenID provider that I want to login to the original site.

And that is the problem right there: some random site of the internet forwards me to my OpenID provider, where I proceed to enter my login credentials. That is a classic phishing scenario.

How can I be sure that the site I am being forwarded to is really the site of my OpenID provider? Phishers are experts at mimicking other sites. They could forward me to another site that looks almost the same as the site of my OpenID provider. Often this is done by slightly misspelling the name of the site, in some cases the name even looks the same because there are different letters in other languages that look the same, so it is impossible to spot the difference.

There are some mechanisms that try to prevent site spooking, such as HTTPS, but I think the reality is that none of them really are good enough. The only way to make sure you are on the site you want to be is to type in it's url by hand, without making any spelling mistakes (even then it is probably not 100% sure, because the domain name resolution system could also be tampered with - but that is another topic altogether, and I don't know much about it). For the same reason one shouldn't click on links in emails, for example if you get a link by (supposedly) ebay to check your auction, that email could be from a fake ebay linking to a spooked ebay that will phish your ebay login.

But I don't want to educate about phishing, there is enough information about it on the internet already. I just wanted to raise my concerns about this problem with OpenID.

Many might feel that the problem is not really severe, or maybe it is just a problem of the particular implementations of OpenID that I have used. My own feeling is that as web developers we have a responsibility to not encourage dangerous behaviour on the side of our users, therefore OpenID in it's current form has lost a lot of appeal to me.

One possible way to deal with the problem would be to always stay logged in to one's OpenID provider and never log in when being forwarded to it. Hopefully if you are already logged in, you don't need to login when being forwarded, you only have to confirm the authentication request of the original site.

Please leave comments and correct me if I am wrong. Thanks!