Cyber criminals, such as the Chinese government, can theoretically add similar code to any unsecured connection, and there’s little anyone can do about it, except encrypting their connections as much as possibleï»¿ï»¿ï»¿ ( I’m guessing that, like their users, the admins running Baidu didn’t know about the malicious code either). That’s why Mozilla’s move makes sense to me. HTTP is basically just one big security hole, which anyone can inject malware into.
As for advertisers claiming they can’t make as much money with HTTPS, that’s to be expected. There’s nothing advertisers seem to love more than knowing everything they can about everyone they can. I’ll bet privacy-protecting tools like Privacy Badger and Disconnect scare them more than anything.