HTTPS makes a MiTM attack much harder, because you need to have a valid cert for the host you are spoofing.

Doesn't the Great Firewall mandate (or at least strongly suggest) that those Chinese-controlled root certs are installed for devices behind it?

If this were a root cert, OSes and browsers could ban that CA. If you want this to work with SSL, giving the Great Firewall a domain cert would be enough.

Https is not hackable “yet” so you can’t intercept the traffic in the middle. They intercepted http traffic and swapped the malicious js file in http traffic.

Can't China just issue its own certificates to make the browser see a secure connection to the target server when it talks to a Chinese firewall server instead. I mean they have access to valid root certificates, right?