On Google Search, the special
Scholar search results starting with
Scholarly articles for use unencrypted HTTP links, instead of HTTPS. Thus, when a user clicks on a
Scholar results, an unencrypted HTTP request is made.
Steps to Reproduce:
- Go to
- Search for
A Theory of Human Motivation
- Under the
Adssection, see the
Scholarly articles forsection
- See that the link to the Scholar search
Scholarly articles for A Theory of Human Motivationand the direct links to the documents are HTTP links instead of HTTPS
- Weirdly enough, in the parameters of the Scholar direct links, a parameter
nossl=1can be found. Was this intentional for some reason?
- For the query
A Theory of Human Motivationthe seconds result is a
[BOOK]result, pointing to Google Books. While from the Scholar search page, the link to Google Books is HTTPS, here, the direct link is also HTTP (
http://scholar.google.hu/scholar_url?url=http://www.google.com/books). That should also be HTTPS.
A passive eavesdropper who has access to the victim’s network traffic (targeted attack, ISP) could capture and read these unencrypted requests, and track what Scholar query the victim has searched for, and what documents she opened.
This leaks private information (queries, documents opened), which should never be visible to any passive eavesdropper.
Furthermore, an active MITM attacker might also spoof the unencrypted HTTP response from Google Scholar, and redirect the user to a fake/malicious page.