I don't think Fedora's OpenID login has this flaw. Would it be possible to allow OpenID login for white-listed providers which are known to be well-behaved?
Unfortunately, Fedora's OpenID returns HTTP even when the request is with HTTPS.
i18n@lists.stg.fedoraproject.org