undefined | Better HN

0 pointsmerb5y ago0 comments

> Except that without SSL, some JavaScript could be injected to grab the password completely outside of the RSA encryption. So assuming there is already a MITM who wants the password, all you'd be doing is making his attack slightly more complicated.

how does ssl prevent you from that? it doesn't.

0 comments

drodgers5y ago

An SSL client will cryptographically verify the authenticity of all messages recieved from Valve's servers, so the resulting webpage can't have any Javascript injected by someone without Valve's private key.

Without this kind of authentication, encrypting the connection would be pointless.

merbOP5y ago

well it depends an administrator of an org can actually inject javascript without intercepting the http response stream.

woodrowbarlow5y ago

the assumption is that the javascript would be injected into the page on its way from steam servers to your browser. ssl would prevent that. i think you're imagining a case where a user has (for example) installed a malicious browser extension. ssl would not help with that.

j / k navigate · click thread line to collapse