The core issue is the same that leads to cross domain search timing attacks [1] (which can be prevented with CSRF tokens)
With timing HTTP->HTTPS redirections maybe the issue is not that the response can be timed but that HTTP exists in the first place? There are other similar timing attacks that can easily be used to identify if a user is logged in to a specific website [2].