

Soon all your blog comments will belong to Facebook or Google - vaksel
http://www.techcrunch.com/2008/12/16/soon-all-your-blog-comments-will-belong-to-facebook-or-google/

======
Tichy
How exactly does it work though? Yesterday I logged into a web site using
OpenID, and noticed something very bad: they referred me to my OpenID provider
(yahoo in that case), where I logged in, and then I was referred back.

This is BAD because it is a paradise for phishing. How can I be sure that a
random website really forwards me to my openID provider, and not to a phishing
site that looks exactly the same?

To be fair, most users might be logged into their OpenID site (or Facebook
connect - isn't that essentially the same thing?) all the time, so they
wouldn't need to enter login credentials on their "openId site". But overall,
it made me think the only solution would be a browser plugin for handling the
login stuff.

~~~
jcapote
I don't know about other openid providers, but myopenid uses those crazy ssl
certificates that are very pronounced in your url bar, pretty hard to phish
imo

~~~
Tichy
I don't care so much for the ssl certificates as a protective measure, to be
honest. Maybe I should invest more time to understand them, but my current
impression is:

\- there are now ways to get ssl certificates for free for anyone. So it would
be easy to get a certificate for myopenid, where the "i" is not an "i" but
some exotic letter that looks the same (or something like that).

\- ssl certificates often don't work correctly (setup in the wrong way), so
clicking away the warning is becoming a nobrainer. Maybe there isn't even a
way to set them up to work correctly across a web site with subdomains, I am
not sure. I mean, not even the Chaos Computer Club got them working on their
own web site...

Of course ssl certificates are still necessary, but they don't seem to be
sufficient to me. I suppose even if I type in an URL directly I can be fooled
(DNS servers hacked or whatever), but still.

------
swombat
Or Disqus.

Or Wordpress.

------
Zev
They don't already?

