If they put this fake certificate in a certificate root server that's in the trusted server list, they can easily get anyone's account who's using affected browsers.
It's weird that they start with Github. It's not a website that's popular among human activists or any other people that China government might be interested in. Instead, it's popular among programmers and hackers, who are the main group and forces in China to help people bypass GFW to access blocked content. I suppose this attack might be what the government uses to test reaction and capability of hackers.
Seriously, this is really, really, bad.
EDIT: added link for bug report
I'm not suggesting that this will be free of problems, given how particular Git is about checksums, nor am I certain what methods they would use to acquire SSH commit access for altering repository contents to affect the rest of the world.
Still, it's absolutely a necessary prerequisite to altering data from GitHub - and, if they acquire SSH keys, altering data at GitHub. Both possibilities are terrifying.
Disclosure: I work for Mozilla, but not on security.
You are right there's no reason to believe that CNNIC has to be bad/evil/whatever, but we cannot assume CNNIC would never be bad/evil either. We have to look at its history, and what's behind it.
When something turns bad, it won't throw out an announcement beforehand. And we need something that can handle this in time.
I'm thinking about something like this: in addition to the trusted root server list, keep another list, e.g., less trusted root servers; besides normal update program, put a special piece of code in the browser that allows firefox team to delete certain root server from less trusted root servers on the air. By "on the air", I mean not needing a full version update, or restarting the browser. It can warn the user, but it should not be possible to canceled the deletion.
Having been in the internet industry in China for more than 10 years before I decided to move to the US I would say CNNIC is just as evil as any government organization in China if not worse. There are some well known rules regarding CNNIC: don't buy a .cn domain, don't install any software from them and don't trust what they say.
BTW non government organizations are technically banned in China. You need to apply for a permit and you seldom get one.
If you've been logged into github and you told your browser to ignore the warnings then better keep a really good eye on your commit log, lest something pops up that you didn't actually put in there.
And change your password at the earliest opportunity.
If value is defined as the number of machines that can be backdoored, communications intercepted and so on then it may very well be that that other form of value will be realized in good time as well.
I don't think it's safe to assume that they started with Github.
GitHub is popular among developers.
Many developers have faster computers and more computers per household than others that aren't in IT/development.
Many developers, though they pretend to be security minded and focused at times, often have a more lax attitude in practice than system administrators, especially at home or working on personal projects.
Some developers have more usernames/passwords and certs to other servers available than non-developers would.
Some developers have access to other confidential data or newer technology that could be of practical use.