[merb]

> Except that without SSL, some JavaScript could be injected to grab the password completely outside of the RSA encryption. So assuming there is already a MITM who wants the password, all you'd be doing is making his attack slightly more complicated.

how does ssl prevent you from that? it doesn't.

[drodgers]

An SSL client will cryptographically verify the authenticity of all messages recieved from Valve's servers, so the resulting webpage can't have any Javascript injected by someone without Valve's private key.

Without this kind of authentication, encrypting the connection would be pointless.

[merb]

well it depends an administrator of an org can actually inject javascript without intercepting the http response stream.

[woodrowbarlow]

the assumption is that the javascript would be injected into the page on its way from steam servers to your browser. ssl would prevent that. i think you're imagining a case where a user has (for example) installed a malicious browser extension. ssl would not help with that.