[drodgers]

An SSL client will cryptographically verify the authenticity of all messages recieved from Valve's servers, so the resulting webpage can't have any Javascript injected by someone without Valve's private key.

Without this kind of authentication, encrypting the connection would be pointless.

[merb]

well it depends an administrator of an org can actually inject javascript without intercepting the http response stream.