Trust in HTTPS certificate issuance has been enhanced with new practices mandated by the CA/Browser Forum Baseline Requirements meant to strengthen certificate validation.
While the certificate issuance process has previously required that the Certification Authority (CA) verifies the requestor’s legitimate control over the domain, Border Gateway Protocol (BGP) attacks and prefix-hijacking have been used to obtain fraudulent certificates.
To improve domain control validation, Multi-Perspective Issuance Corroboration (MPIC) was added to the baseline requirements, as it proved to be effective against real-world BGP hijacks.
“Rather than performing domain control validation and authorization from a single geographic or routing vantage point, which an adversary could influence as demonstrated by security researchers, MPIC implementations perform the same validation from multiple geographic locations and/or Internet Service Providers,” Google explains.
After a ballot to require the adoption of MPIC received unanimous support from the involved stakeholders, the validation improvement became a requirement and, starting March 15, 2025, all CAs must rely on MPIC when issuing publicly-trusted certificates.
To ensure robustness and consistency, some of the CAs are using the Open MPIC Project in their implementations, Google says.
Starting March 15, CAs are also required to use linting during the certificate issuance process, to ensure that certificates include all the necessary information and are well-formatted.
“Linting refers to the automated process of analyzing X.509 certificates to detect and prevent errors, inconsistencies, and non-compliance with requirements and industry standards,” Google explains.
Through linting, insecure practices such as the use of weak or obsolete cryptographic algorithms can be discovered, interoperability is improved, and the risk of non-compliance is reduced, the internet giant says.
Both open source and custom linting projects exist, including ‘meta’ linters, which combine multiple projects for increased simplicity and performance.
In line with the public roadmap named ‘Moving Forward, Together’, starting July 15, 2025, the Chrome Root Program will prohibit demonstrated weak domain control validation methods, further improving the Web PKI ecosystem.
“It’s essential we all work together to continually improve the Web PKI, and reduce the opportunities for risk and abuse before measurable harm can be realized. We continue to value collaboration with web security professionals and the members of the CA/Browser Forum to realize a safer internet,” Google says.
Related: DigiCert Revoking 83,000 Certificates of 6,800 Customers
Related: Google Cloud Users Can Now Automate TLS Certificate Lifecycle
Related: Google Adds HTTPS-First Mode to Chrome
Related: Mozilla Boosts Security in Firefox With HTTPS-Only Mode
