OpenID security, any changes to this

This is the paragraph on OpenID security from Wikipedia. Are there any new updates about this, or any comments?

Security and phishing

Some observers have suggested that OpenID has security weaknesses and may prove vulnerable to phishing attacks.[26][27][28] For example, a malicious relying party may forward the end-user to a bogus identity provider authentication page asking that end-user to input their credentials. On completion of this, the malicious party (who in this case also control the bogus authentication page) could then have access to the end-user's account with the identity provider, and as such then use that end-user’s OpenID to log into other services.

In an attempt to combat possible phishing attacks some OpenID providers mandate that the end-user needs to be authenticated with them prior to an attempt to authenticate with the relying party.[29] This relies on the end-user knowing the policy of the identity provider. In December 2008, the OpenID Foundation approved version 1.0 of the Provider Authentication Policy Extension (PAPE), which "enables Relying Parties to request that OpenID Providers employ specified authentication policies when authenticating users and for Open开发者_C百科ID Providers to inform the Relying Parties which policies were actually used."[30] Regardless, this issue remains a significant additional vector for man-in-the-middle phishing attacks.

Other security issues identified with OpenID involve lack of privacy and failure to address the trust problem.[31]

This phishing attack still holds. If I (as a phisherman) sets up a page, I can link to my self-made (copied) Google login page and claim it's the real one. I don't even need to implement OpenID, I can just say that I do.

So yes, this attack is still very much possible. The solution is to educate computer users: they should check the domain name, make sure the login page uses SSL and that the SSL certificate is for the correct domain.