However, there are enough governmental organisations on the list, that it is likely to be very easy for any of them to get a certificate signed stating that they are someone else.
Even without it, there are attacks against SSL using web proxies - just look at what Opera Mini does with its rewriting proxy.
However, even with all of that, we have pretty good knowledge of what the current filter is capable of. It isn't capable of snooping anything other than HTTP.
So, to be truly paranoid:
1) Don't trust DNS - type the IP address and port in by hand.
2) Don't trust the built-in CAs, hand deliver the signed certificate through a secondary channel.
3) Don't surf using anything other than HTTPS.
In fact, take off and nuke the whole thing from orbit. It's the only way to be sure.
I do wonder why people think that these filters are a good idea. I think we need a post office metaphor here!
What filters are on the mail service? Telephone service? Do we block address ranges and add automatic taping of phone calls to certain numbers (actually, we probably do, we just don't talk about that stuff)?