They have to be on the wire between you and the destination server, like at your ISP, a router upstream of the server you are connecting to, a gateway between two autonomous zones, an internet exchange point, etc. The packets have to physically pass through an internet host that the adversary controls. The Chinese government can't MITM a connection between NYC and Boston, unless the routing is really fucked (or they hacked a server in between). Targeting a specific person or host is probably easy, as long as they are in a jurisdiction that LE controls. They could get a warrant, or ask your ISP nicely, and in some cases the ISP will cooperate without legal pressure. Targeting someone outside of LE's jurisdiction is harder. That being said, decrypting a Tor circuit is considerably harder than an HTTPS connection. HTTPS relies on certificate authorities, which can be compelled to sign certificates for governments or LE to use in MITM attacks (some CAs have even been hacked, allowing the Iranian government to MITM its people, for example). Tor's SSL uses private keys stored on the relays. You download the public keys in the relay descriptors from the directory authorities. Descriptors are signed by the directory authorities. The directory authority keys are hardcoded into the Tor client. That means, as long as you have an uncompromised Tor client (check the signature when you download it!), nobody can serve you fake descriptors, with fake relay keys, and thus establish fake connections with your Tor client. BTW, what kind of "odd" things did you notice?