If memory serve me corectly OpenID can function in two ways.

1) The best is when the web server contacts the OpenID server and that agree on a secret to encrypt there communication by. Although the communication is via the client without the secret (that only the web server and OpenID server knows) you can not get the evil OpenID server to pretend to be the good one.

2) The other solution is where the details are passed between the OpenID and web servers via the client unencrypted. When this happens the web server should ask the OpenID server directly if what it received from the client is true.

You might have noticed that in both these scenarios the web server contacts the OpenID server in a way that bypasses the client completely so the server can not be spoofed.

…so in summary it is not actually problem at all, provided the person implementing the web site does not take any stupid short cuts and miss out part of the communication to save some coding time. With library available for most platforms there really is not need to take these shortcuts.

After this I tried to make a fake entry to the myopenid site, but that didn’t really help because another redirect is not possible. The solution I think is to run a “free” server that gives a valid response anytime, and then link the dns entry in the hosts file for myopenid to that server.

This is more work and will have to try that later.