How is the attack detectable at all given standard user practices?
HTTPS security is multi-layered and not simply provided by cryptographic
functions. Things such as the pad-lock icon and the EV-SSL green address
bar UI a major components of the system and currently there is no part of that
system designed for detecting a MITM attack from a trusted authority.
Browsers have no standard mechanism for alerting users about changes in
certificates over time and there is no way for a user to tell what authority the
website provider intended to sign their content with.
This is not a reason to distrust CNNIC specifically, simply a weakness of SSL in