How do you want to do a MitM attack with a plaintext password send over HTTPS?!?
HTTPS protects in theory against MitM attacks not in practice.
Many programs (especially hastily codet bots) do not care about the
validity of a certificate.
HMAC is also only secure against replay attack if the nonce is checked correctly. And for that you need to trust that MtGox did it correctly. I prefer trusting myself that I know how to implement a cert check then having to trust others.
You don't need to trust anything but bitstamp. You can check directly their cert against a saved key. Or their CA cert if you trust them and don't want to update the check if bitstamp updates their cert.