Recent enhancements in security requirements embraced by HTTPS certificate industry
Introduced in 2022, the Chrome Root Program is an integral part of Google’s continuous dedication to maintaining secure and dependable network connections through Chrome. The previous discourse about how the Chrome Root Program ensures user safety, and outlined its focus on advancing technologies and practices to reinforce the security guarantees provided by Transport Layer Security (TLS). Comprehensive details about these initiatives can be found within our forward-thinking, public roadmap known as ” Moving Forward, Together.”
At its core, “Moving Forward, Together” signifies our vision for the future. It is not binding and distinct from the specifications outlined in the Chrome Root Program Policy. This vision centers on key themes that we believe are vital for further enhancing the Web PKI ecosystem, complementing Chrome’s fundamental principles of speed, security, stability, and simplicity. These overarching themes include:
- Promoting modern infrastructures and flexibility
- Emphasizing simplicity
- Advocating for automation
- Minimizing mis-issuance
- Enhancing accountability and ecosystem integrity
- Simplifying and enhancing domain validation practices
- Preparing for a “post-quantum” era
Recently, two initiatives from “Moving Forward, Together” were mandated practices in the CA/Browser Forum Baseline Requirements (BRs). The CA/Browser Forum is a collaborative industry consortium that collaborates on defining minimum standards for TLS certificates. These initiatives mark a progress in enhancing the security and adaptability of all TLS connections relied upon by Chrome users.
For those unfamiliar with HTTPS and certificates, refer to the introductory section of this blog post for a succinct overview.
Multi-Perspective Issuance Corroboration
Prior to issuing a certificate for a website, a Certification Authority (CA) must validate that the entity legitimately controls the domain whose name will be included in the certificate. Known as “domain control validation,” this process involves various well-established methods. For instance, a CA may require a random value to be hosted on a website, followed by verification to confirm the value’s publication by the certificate applicant.
Despite existing domain control validation stipulations laid out by the CA/Browser Forum, research from the Center for Information Technology Policy (CITP) at Princeton University, and others, has highlighted the danger of Border Gateway Protocol (BGP) attacks and prefix-hijacking leading to fraudulently issued certificates. These attacks were not solely theoretical, as instances showcased successful exploitation of this vulnerability, with a single breach resulting in approximately $2 million in direct losses.
Multi-Perspective Issuance Corroboration (MPIC), often referred to as “MPIC,” enriches the existing domain control validation methods by decreasing the probability of routing attacks leading to the issuance of fraudulent certificates. Unlike conventional validation done from a single geographic or routing standpoint, susceptible to manipulation by adversaries as evidenced by security researchers, MPIC implementations conduct the same validation from multiple geographical locations and/or Internet Service Providers. This has proven to be an effective deterrent against ethically executed, real-world BGP hijacks.
The Chrome Root Program spearheaded a collaborative effort involving ecosystem members, culminating in a CA/Browser Forum Ballot making MPIC adoption obligatory through Ballot SC-067. The ballot garnered unanimous approval from participating organizations. Commencing March 15, 2025, CAs issuing publicly-trusted certificates must integrate MPIC into their certificate issuance process. Several of these CAs are leveraging the Open MPIC Project to ensure adherence to robust implementations aligned with ecosystem expectations.
Our sincere appreciation goes out to Henry Birge-Lee, Grace Cimaszewski, Liang Wang, Cyrill Krähenbühl, Mihir Kshirsagar, Prateek Mittal, Jennifer Rexford, and others from Princeton University for their persistent dedication to advancing significant enhancements in web security and continuous collaboration.
Linting
Linting pertains to the automated scrutiny of X.509 certificates to identify and prevent errors, discrepancies, and non-conformity with requirements and industry standards. Linting ensures certificates are well-structured and contain the essential data for their intended usage, such as website authentication.
Linting helps unearth the use of vulnerable or outdated cryptographic algorithms and other insecure practices, thereby enhancing overall security. It bolsters interoperability and aids CAs in mitigating the risk of non-adherence to industry standards (e.g., CA/Browser Forum TLS Baseline Requirements). Non-compliance could lead to certificate “mis-issuance.” Detecting these issues prior to a certificate being employed by a site operator minimizes the repercussions associated with rectifying a mis-issued certificate.
Several open-source linting projects are available (e.g., certlint, pkilint, x509lint, and zlint), alongside numerous personalized linting initiatives managed by stakeholders within the Web PKI ecosystem. “Meta” linters, like pkimetal, amalgamate multiple linting tools into a unified solution, delivering simplicity and notable performance enhancements to implementers compared to deploying several standalone linting solutions.
During the previous spring, the Chrome Root Program led community-wide experiments, underlining the necessity for linting adoption following the discovery of prevalent certificate mis-issuance. This endeavor led to our involvement in formulating CA/Browser Forum Ballot SC-075 mandating certificate linting adoption. The ballot received unanimous approval from participating organizations. Starting March 15, 2025, CAs issuing publicly-trusted certificates must incorporate linting into their certificate issuance process.
What Lies Ahead?
Recently, an updated version of the Chrome Root Program Policy was released to further resonate with the aspirations outlined in “Moving Forward, Together.” The Chrome Root Program continues its commitment to proactively drive progress in the Web PKI domain. This dedication recently translated into a proposal to discontinue vulnerable domain control validation methods permitted by the CA/Browser Forum TLS Baseline Requirements. These weak validation methods are now deemed impermissible post July 15, 2025.
It is imperative that we collectively strive towards continual enhancements in the Web PKI domain, diminishing opportunities for risk and misuse before tangible harm surfaces. Our unwavering commitment to collaborating with web security experts and members of the CA/Browser Forum aims at fostering a safer online experience. As we look ahead, we are enthusiastic about exploring a revamped Web PKI and Chrome Root Program fortified with enhanced security guarantees as we transition towards post-quantum cryptography. More insights on quantum-resistant PKI are set to be shared later in the year.
About Author
