So breaking encryption is accepted; serving malicious scripts is accepted (it's what happened in this attack), but breaking encryption to serve malicious scripts would be out of limits? That doesn't make much sense.
Serving malicious scripts is very bad, and may not actually be accepted. I know I would hesitate to use baidu analytics after this. But people might come around if they say something about SSL and wont happen again.
If the encryption is then broken and it is done again, then a) it will prove that China did it. Because you can see who signed the certificate. b) it will prove that technical countermeasures are not enough, since the problem is deeper than that.
