OpenID homesite authorization spoofed

[Alaric Dailey]

With my consent, Eddy has successfully spoofed openID using a server on his
internal network and then successfully used that log onto my openid account
at myopenid.com.  This didn't take any special hacking skills, just some DNS
trickery and a little coding.  The problem would have been 

Using encryption would have made this much more difficult.  I have screen
shots if anyone cares, I'd attach them except that I am sure they would be
stripped.

Using a mutual authentication between membersite and homesite would have
made it impossible, while still being transparent to the user, that isn't to
say there wouldn't be a footprint, but the user would have nothing more to
do.