[OpenID] Phishing? Web browser integration?

[SitG Admin]

>Before doing so, I double-checked the address because I'm aware of 
>phishing scams, but I'm afraid the vast majority of people would not 
>do so.

Did you re-type the domain segment of the URL?

Homographic attacks (where your browser doesn't display foreign 
non-printable characters) have deceived users before.

>I think we're kind of lucky that openID isn't widespread, otherwise 
>many people could see their email accounts stolen, and with them all 
>the other accounts (paypal etc.).

I think it's kind of stupid to use your E-mail authentication system 
as your OpenID authentication system; fortunately, there are 
alternatives available for, well, everyone. You (any user) can set 
your OpenID to be completely unassociated with any other accounts you 
have. Unfortunately it's then kind of useless. You *can*, though, set 
your OpenID to use different passwords for every site it 
authenticates to, meaning that someone who stole your Google 
credentials would *not* be able to access your PayPal with the same 
password.

Furthermore, there are solutions such as CallVerifID, which refuses 
to authenticate you no matter *what* password you enter - it calls up 
your (cell) phone, tells you what's going on, and asks you whether 
this is an approved login. This automatically notifies you if anyone 
is trying to break into your account, and it doesn't let them.

>I think this is a MAJOR flow, and the only solution that i see would 
>be to try to integrate openID in the browser in some way, to make 
>phishing impossible.
>Any ideas? Any comments?

Browser integration is something that many of us have been hoping 
for, but there are simpler solutions to the problem you describe.

-Shade