They can MITM attack SSL only if they have root/superuser access to your computer. They'd have to install a new SSL root cert. Or ISPs can put up a fake cert and hope that people ignore/click through the warnings (which lots do). Or if they have a contact with a corrupt SSL root cert signer, they could get their own fake cert signed.