> But if China chose to, they could simply require all Chinese websites to use government-issue certificates, forcing the world to choose between allowing Chinese MITM monitoring and losing access to China.
The more likely outcome of that gambit would just be that the CA would be restricted to .cn domains, possibly with some sort of install-on-demand warning.
> The more likely outcome of that gambit would just be that the CA would be restricted to .cn domains, possibly with some sort of install-on-demand warning.
A reasonable compromise, but one which wouldn't prevent MITM snooping or alteration of communications with Chinese websites, like this attack.
And to allow snooping of outgoing communications, the Chinese could also require that all browsers used in China trust the Chinese government CA without that restriction.
Agreed, although it technically would have helped against attacks like the ones we just saw where most of the parties involved – including Baidu – are using .com domains. No question, of course, that this would only result in heavy pressure on everyone doing business in China to use .cn domains.
That said, it would only matter if Baidu was doing something like serving the script only over HTTPS using HSTS which I imagine would incur a non-trivial backlash for them.
I'd also be surprised if they couldn't relatively easily move on to another similarly insecure script requested by many people outside of China.
The more likely outcome of that gambit would just be that the CA would be restricted to .cn domains, possibly with some sort of install-on-demand warning.