Unencrypted HTTP Links to Scholar results in Google Search allows MITM

Core Issue:

On Google Search, the special Scholar search results starting with Scholarly articles for use unencrypted HTTP links, instead of HTTPS. Thus, when a user clicks on a Scholar results, an unencrypted HTTP request is made.

Steps to Reproduce:

1. Go to https://www.google.com
2. Search for A Theory of Human Motivation
3. Under the Ads section, see the Scholarly articles for section
4. See that the link to the Scholar search Scholarly articles for A Theory of Human Motivation and the direct links to the documents are HTTP links instead of HTTPS

Extras:

• Weirdly enough, in the parameters of the Scholar direct links, a parameter nossl=1 can be found. Was this intentional for some reason?
• For the query A Theory of Human Motivation the seconds result is a [BOOK] result, pointing to Google Books. While from the Scholar search page, the link to Google Books is HTTPS, here, the direct link is also HTTP (http://scholar.google.hu/scholar_url?url=http://www.google.com/books). That should also be HTTPS.

Impact:

A passive eavesdropper who has access to the victim’s network traffic (targeted attack, ISP) could capture and read these unencrypted requests, and track what Scholar query the victim has searched for, and what documents she opened.

This leaks private information (queries, documents opened), which should never be visible to any passive eavesdropper.

Furthermore, an active MITM attacker might also spoof the unencrypted HTTP response from Google Scholar, and redirect the user to a fake/malicious page.