One could require the user to specify/confirm a certificate fingerprint on gmail in such a case. That way you're MitM proof, even with a self signed certificate.