[geofft]

> Now that everyone has a Google account, the possibility of credential theft seems like something worth taking seriously.

Not sure I follow - is the idea to redirect from google.com to an attacker's site that spoofs the Google login page? I think we'll get more mileage out of solving that with origin-aware authentication mechanisms (password managers, U2F, WebAuthn, etc.) and perhaps address bars that show the eTLD+1 instead of / more prominently than the full URL. Phishing is already a problem even without open redirects.

> Widely distribute links "to a cute puppy on Instagram" that redirect to a URL that triggers a resource-intensive search operation on the victim's server?

Keep in mind that unrelated web pages can send GET requests to each other by just using an image tag, so if your website has a resource-intensive search delivered over GET and no automation to detect suspicious behavior and spikes in certain types of requests, you're already vulnerable to this via e.g. someone submitting an interesting blog page to HN that loads youe search page as a resource. Either make it POST or add some HTTP-level DDoS protection a la Cloudflare.

Same with advertising fraud - ad clicks should be POSTs. (Open POST redirects do seem more dangerous but are probably rare.)

[wtracy]

Relying on your customers to use password managers to protect themselves is not very useful in the Eternal September age of the internet. (I do see your point that a Google redirect is only marginally more likely to be effective for phishing than a link to something like goegle.com.)

Everything else in your comment is spot on.