Google Tightens HTTPS Certificate Rules to Fight Internet Routing Attacks

Google has rolled out two major security upgrades to how HTTPS certificates are issued — aimed at making it harder for attackers to forge website certificates and easier to catch certificate mistakes before they go live.

As of March 15, 2025, these changes are now required by all certificate authorities (CAs) that want their certificates to be trusted in Chrome.

The new rules mandate the use of Multi-Perspective Issuance Corroboration (MPIC) and certificate linting — two practices that, while technical under the hood, target long-standing weaknesses in the internet’s trust model. Both have now been formally adopted into the industry’s baseline requirements through the CA/Browser Forum, the body that sets global standards for web certificates.

The push came from Google’s Chrome Root Program, a policy framework launched in 2022 to strengthen how Chrome handles trusted certificate authorities. These changes are part of a broader security roadmap Google calls “Moving Forward, Together,” focused on simplifying and modernizing web encryption before emerging threats — like quantum computing — start to matter.

Strengthening internet security

Before a certificate authority can issue an HTTPS certificate — essentially a digital passport proving a site is legitimate — it needs to confirm that the person requesting it actually controls the domain. That check is called domain control validation, and for years, CAs have mostly performed it from a single internet location.

But researchers at Princeton University’s Center for Information Technology Policy (CITP) uncovered a serious issue: attackers could hijack internet routing (via BGP attacks) and fool the CA into thinking they owned a domain, even when they didn’t. This wasn’t just theoretical — at least one real-world attack exploiting this trick led to $2 million in losses.

To counter that, MPIC makes the certificate validation process much harder to spoof. Instead of checking domain control from just one network location, CAs now have to validate it from multiple perspectives — across different ISPs and geographical regions. This simple shift closes the door on a whole class of routing-based certificate fraud.

Catching certificate errors early

The second rule change makes certificate linting a required step in the certificate issuance process. Linting is essentially an automated pre-check that scans certificates for technical errors, outdated algorithms, or non-compliance with industry rules. This helps avoid mis-issued certificates, which can cause broken websites and browser warnings or even allow impersonation attacks if left unchecked.

Many CAs already used tools like zlint, x509lint, and newer combined systems like pkimetal, but the Chrome team found last year that mistakes were still slipping through. So they proposed Ballot SC-075 to make linting mandatory across the board. Like the MPIC rule, this, too, passed with unanimous support.

While these updates may not be visible to users, they directly impact the security of nearly every HTTPS connection made through Chrome — which is used by over 3 billion people. The Chrome Root Program manages which certificate authorities Chrome trusts by default, giving Google a powerful lever to improve internet security standards.

Google has also announced it will ban certain outdated domain validation methods starting July 15, 2025, and hinted at more changes ahead to prepare the web for post-quantum cryptography — a future where current encryption may no longer be safe.

Actions

Websites managing HTTPS certificates should make sure their CA is compliant with MPIC and linting requirements. Security teams should stay updated with Chrome Root Program policy changes, especially ahead of the July 15 ban on weak domain validation methods.

General users do not need to take any action at this time, as these are behind-the-scenes upgrades purported to make web browsing safer.