This attack works because the firewall is capable of reading plain HTTP requests to spot the ones that are requesting the target javascripts, and then statelessly injecting raced packets. Neither technique works when SSL is in use. Even if China simply demanded the SSL keys from Baidu, they'd have to decrypt every single connection on the fly and significantly upgrade their infrastructure.
I think the only way to continue this technique in the presence of widespread SSL use is to actually force Baidu to insert the malicious Javascript on their own servers.
> Even if China simply demanded the SSL keys from Baidu, they'd have to decrypt every single connection on the fly and significantly upgrade their infrastructure.
Umm... not really. All you'd have to do is select whatever subset of connections you want to inject code in to, and then terminate them with your own web server that has Baidu's SSL keys, then let the rest of the connections go through transparently to Baidu.
You can't easily select that unless the stuff you want is on a dedicated relatively low traffic hostname. If everything is served off e.g. ads.baidu.cn then you have to decrypt all ad traffic, which is a lot.
You can select a random subset very easily at the layer-3/4 level. It's really not that different from just adding a host behind a layer-4 load balancer.
...and actually it doesn't have to be completely random. You could select specific IP addresses to intercept.
