Many openid enabled sites default to http identifiers, even if the openid provider supports https (such as myopenid.com).
Does this pose a threat beside the identity being exposed? The second step of the openid authentication includes a verification of the signature provided by the identity provider. But couldn't a rough identity provider just sign anything? I mean is there a step in the openid protocol that verifies the provider is valid for the entered openid?
Edit: This question is about consumers such as Stack Exchange, not identity providers. Stack Exchange only uses https for Google, and unencrypted http for all other openid providers. I know that myopenid.com does support https, but Stack Exchange does not use it. The same is true for other sides, even ones that usually take security more serious than Stack Exchange, e. g. Source Forge.