Some takeaways from the article:
- An OpenID provider knows all the sites you authenticate to. From a privacy standpoint, I am not personally OK with that. Others will have different pain thresholds on this.
- OpenID is vulnerable to session hijacking if the redirect to from the OpenID provider to the relying party is not done over SSL. This would obviously apply to both the OP and RP. Of course while this is certainly a danger, it is no different than the risk of session hijacking that can happen at any time after authentication, as I discuss here.
- If the user can be lured to malicious site, a cross site request forgery attack can be used. The attacker could try to guess other sites that the user might have OpenID enabled and count on the fact that the by authenticating to the malicious site, the user now has a current session at the OpenID provider. If OpenID ever reaches widespread adoption for sensitive applications (i.e. the kinds that attack hackers), this kinds of attack will be very likely.