Fortunately Google does it right and when I tried to steal my own session by using these in HTTPS it failed with a redirection to accounts.google.com for the login mechanism. I did not try anything more.
I'm pretty sure many sites aren't that careful so I installed HTTPS Everywhere. With the plugin installed, the request to the HTTP version is not sent when I type "google.com" in my url bar.
By the way, it is made by the EFF and the Tor Project. It's available for Firefox and Chrome :