I might be revealing my stupidity here, but surely your ISP can MITM the HTTPS handshake and decrypt all of your traffic? Unless you have a pre-arranged key that hasn't travelled through their network.
Your ISP won't be able to get a trusted certificate authority to issue them a cert for "*", which is what they would need to do in order to transparently MITM SSL. They could generate that cert on their own, and maybe install it into the Windows cert store with the "installation CD", but they couldn't intercept your traffic on an unadulterated system.
SSL is designed so that only the server with the private key for a specific certificate can complete the handshake correctly for that certificate, and the certificate is tied to the domain name.
The ISP can MITM the handshake and return a different certificate, but unless a certificate authority supported by your browser is complicit, they can't get that certificate signed for the domain you're trying to visit, and the browser will complain.
If they did, we'd get versions of Firefox and Chromium at least with the US certificate authorities root certs yanked out within a day, and companies scrambling to replace their SSL certs with certs that'd still be trusted by users.
Unless they made it illegal to, I'm sure we'd see all the major browsers work to deprecate those certificate authorities pretty quickly - not doing so would make SSL useless.
The thing with certificate is that you have to trust that the certificate authorities won't sell (or give) fake certificate to ISP or government. If they do so, the ISP can MITM you.
