One day my browser told me that gmail was returning an invalid certificate. It was a certificate for the correct domain, but signed by an untrusted authority. This was an actual MITM attack.
I noticed that my gmail notifier (checkgmail) just kept working! Apparently it didn't check the certificate. I ditched the notifier, changed my gmail password and sent an e-mail to the author of the notifier. Never got a reply, though.