Trust in HTTPS is getting a major upgrade. Starting March 15, 2025, Certificate Authorities (CAs) must follow stricter rules to issue publicly trusted certificates—rules that are designed to block common attacks and improve validation across the web.
For years, CAs have been tasked with verifying that a requester truly controls a domain before issuing an HTTPS certificate. But cybercriminals have exploited gaps in this process using BGP hijacks and other network-layer attacks to obtain fraudulent certificates. Now, updated Baseline Requirements from the CA/Browser Forum are changing the game.
One of the biggest changes is the introduction of Multi-Perspective Issuance Corroboration (MPIC). This new validation method makes it much harder for attackers to spoof domain ownership by forcing CAs to check domain control from multiple locations and ISPs—not just a single point.
According to Google, “MPIC implementations perform domain validation from various geographic locations or through different internet providers, reducing the risk of manipulation by malicious actors.” Security researchers had shown that single-point validation was vulnerable to localized routing attacks, which MPIC is designed to overcome.
Following unanimous support for the MPIC proposal, it became a mandatory requirement. From March 15, all public CAs must use MPIC when issuing HTTPS certificates. Some are leveraging the Open MPIC Project, an initiative aimed at helping CAs implement this new standard effectively.
Another layer of security comes in the form of linting—a process that scans X.509 certificates for formatting errors, weak cryptography, and non-compliance with industry standards. Starting on the same March deadline, linting becomes a required part of the certificate issuance process.
As Google explains, “linting helps identify weak or outdated encryption, improves interoperability, and reduces the risk of errors in certificate deployment.” Open-source and custom-built linting tools, including meta-linters that bundle multiple engines, are already in use among CAs to simplify this step.
These changes are part of a larger roadmap called ‘Moving Forward, Together’, aimed at boosting the security of the Web PKI (Public Key Infrastructure). Under this roadmap, another critical change is set to take place on July 15, 2025, when the Chrome Root Program will officially block the use of weak domain validation methods.
That means techniques proven to be vulnerable will no longer be accepted by Chrome when trusting HTTPS certificates, forcing CAs to stick to stronger validation mechanisms like MPIC.
Google emphasized the importance of industry-wide cooperation in strengthening the digital certificate ecosystem: “We must work together to improve Web PKI security, minimizing the chances of abuse before real harm occurs. Collaboration with web security professionals and the CA/Browser Forum remains key to achieving a safer internet.”
With rising threats targeting the foundational layers of internet trust, these new HTTPS certificate validation rules mark a major step forward in reducing the attack surface and ensuring secure communication online.
