I just stumbled over the outcome of the story Login/Logout - its not a bug its a feature and I'm not very pleased with the implemented 'solution' (others aren't, too; see help.antville). Of course, it is better than nothing, because someone who takes the time to check the URL of the login form now can be sure that it hasn't been tampered with. But this is more or less insider information, and insiders don't normally log in at untrusted blogs anyway. Here's an excerpt of the comment I posted under this story a couple of weeks ago:

IMO that approach isn't any good. it's nice of nosleep to document the issue and of you to try to prevent abuse, but you simply can't prevent a weblog creator who's allowed to integrate HTML without restrictions from fooling his visitors. restricting features will definitely annoy blog owners who lose control over their creations, but it won't help protecting innocent visitors, because a workaround that will still fool many of them can always be implemented.

The idea of making the login process "a little more secure" is futile—it either is secure or it's not. To prove my point, I just added a customised login form to my blog. As I already said, this approach would only work if several more restrictions would be implemented, some of which would be ridiculously nasty.

I'd suggest, if we really want to prevent that users' passwords are stolen, we should all make our login links point to the safe login, and there we should put up a message warning users of logging in anywhere else. This is how most sites with similar issues (e.g. go.icq.com) handle this. Educating the users, warning them of the dangers and presenting them with a safe workaround really is the only way to prevent them from doing stupid things.

Another possibility would be to restrict the customisation of skins so much that it's basicly not possible to write custom HTML any longer, which would make all blogs look somewhat the same and throw the whole Antville philosophy over board, so I'd say we shouldn't go for that.

I would be okay with having every user log in at www.antville.org, but as long as they're supposed to have the option of logging in at my blog, I want to customise that form so it fits in with the rest. So please lift that restriction, it doesn't do any good anyway.