pith. sign in

arxiv: 2603.21652 · v2 · pith:Y2VJ5OLMnew · submitted 2026-03-23 · 💻 cs.CR

TLS Certificate and Domain Feature Analysis of Phishing Domains in the Danish .dk Namespace

Athanasios P. Pelekoudas , Epameinondas Bolis , Jasmin Lindner , Prodromos Kyriakidis , Mathias Davidsen , Johannes T. E. Hansen , Christian H. Reichkendler , Sajad Homayoun This is my paper

Pith reviewed 2026-05-21 11:11 UTC · model grok-4.3

classification 💻 cs.CR
keywords phishing detectionTLS certificates.dk domaindomain analysiscertificate authoritiesDNS recordscybersecurityfeature overlap
0
0 comments X

The pith

No individual TLS certificate or domain feature reliably indicates phishing activity in the Danish .dk namespace.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines whether TLS certificate metadata and domain characteristics can separate phishing domains from benign ones inside the .dk namespace. It builds a dataset from registry records, phishing reports, and popularity rankings, then gathers certificate details via Netlas plus DNS and lexical features. The analysis compares phishing domains against both highly popular and less-visited domains on certificate authorities, validity periods, missing fields, SAN structure, registrant geography, hosting providers, and domain-name properties. Observable differences appear between phishing and popular domains, yet phishing domains closely match less popular ones, producing large overlap. This leads to the finding that no single feature works as a standalone signal, while suggesting that combined attributes may still aid detection.

Core claim

The paper claims that several certificate and domain features differ between phishing and highly popular domains, but phishing domains in the .dk namespace resemble less frequently visited legitimate domains so closely that substantial overlap occurs across many characteristics, and therefore no individual feature provides a reliable standalone indicator of phishing activity.

What carries the argument

Three-group feature comparison (phishing reports, popularity rankings, and registry data) of TLS certificate attributes and domain characteristics.

If this is right

  • Certificate and domain attributes may still contribute to detection when combined rather than used alone.
  • Detection systems should expect phishing domains to blend with low-traffic legitimate sites rather than stand out.
  • The empirical patterns supply a baseline for infrastructure analysis inside the .dk ecosystem.
  • Multi-feature approaches become more relevant once isolated indicators are shown to be insufficient.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Machine-learning models trained on these combined features could be tested directly on .dk traffic to measure any lift over single-feature rules.
  • The same three-group comparison could be repeated for other country-code namespaces to check whether the overlap pattern is local or general.
  • If external reports contain systematic bias, future studies might incorporate active probing or registrar-level logs to reduce labeling error.

Load-bearing premise

The phishing reports and popularity rankings used to label domains are accurate and free of significant selection or reporting bias when constructing the three comparison groups.

What would settle it

Re-label a random sample of domains through direct manual verification or additional independent sources and re-compute the feature distributions to test whether the reported overlaps disappear.

Figures

Figures reproduced from arXiv: 2603.21652 by Athanasios P. Pelekoudas, Christian H. Reichkendler, Epameinondas Bolis, Jasmin Lindner, Johannes T. E. Hansen, Mathias Davidsen, Prodromos Kyriakidis, Sajad Homayoun.

Figure 1
Figure 1. Figure 1: Pipeline Diagram 2 https://punktum.dk/ 3Abusemanager is a threat intelligence platform which monitors domain abuse. https://iq.global/iq-abuse-manager 4Tranco 1 Million list is a ranking of the most popular websites. https://tranco-list.eu/ 5 [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: shows the frequency of different CAs in the phishing dataset. Google Trust Services and Let’s Encrypt are the dominant issuers, together accounting for 87.4% of observed certificates in phishing. As shown in [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Histogram showing the total frequency of certificate lifetimes for all datasets [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Histogram showing the relative frequency of certificate lifetimes for all datasets [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Main statistics of missing certificate fields across domain categories. [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Minimum and maximum number of missing fields per certificate. [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Top 10 Missing Fields by Category [PITH_FULL_IMAGE:figures/full_fig_p011_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: SAN Similarity per Certificate [PITH_FULL_IMAGE:figures/full_fig_p012_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Distribution of registrant countries interest from neighboring countries, possibly to target Danish audiences. The distribution of phishing domains is slightly different from popular and unpopular ones, because Czechia appears among the top countries. Although the difference in the distribution between phishing and benign .dk domains is not large, the selection of the country Czechia may illustrate a trend… view at source ↗
Figure 10
Figure 10. Figure 10: Probability distribution of numerical domain-based features for each label [PITH_FULL_IMAGE:figures/full_fig_p015_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Distribution of hosting providers data source. Since the results of the analysis don’t differ too much from results from related work, the collected data is still representative of phishing strategies as a whole. Moreover, because the data is historic, one domain may throughout it’s lifetime have had multiple certificates. It is especially problematic in the cases that a domain has changed ownership, and … view at source ↗
read the original abstract

Phishing attacks remain a persistent cybersecurity threat, and the widespread adoption of TLS certificates has unintentionally enabled malicious websites to appear trustworthy to users. This study examines whether certificate metadata and domain characteristics can help distinguish phishing domains from benign domains within the Danish .dk namespace. A dataset was constructed by combining registry information from Punktum dk with phishing reports and popularity rankings from external sources. TLS certificate attributes were collected using Netlas, while additional domain-based features were derived from DNS records and lexical analysis of domain names. The analysis compares phishing, popular, and less frequently visited domains across several feature categories, including Certificate Authorities (CAs), validity periods, missing certificate fields, SAN structure, registrant geography, hosting providers, and lexical properties of domain names. The results indicate that several features show observable differences between phishing and highly popular domains. However, phishing domains often resemble less popular domains, resulting in substantial overlap across many characteristics. Consequently, no individual feature provides a reliable standalone indicator of phishing activity within the Danish namespace. The findings suggest that certificate and domain attributes may still contribute to detection when combined, while also highlighting the limitations of relying on individual indicators in isolation. This work provides an empirical overview of phishing-related infrastructure patterns in the Danish .dk ecosystem and offers insights that may inform future phishing detection approaches.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper constructs a dataset of Danish .dk domains by combining registry data from Punktum dk with phishing reports and popularity rankings. It gathers TLS certificate metadata via Netlas and derives additional features from DNS and lexical analysis. The core analysis compares three groups—reported phishing domains, popular domains, and less-visited domains—across CA distributions, validity periods, missing fields, SAN structure, registrant geography, hosting, and lexical properties. The central observational result is that phishing domains show differences from highly popular domains but substantial overlap with less-popular ones, supporting the claim that no single feature serves as a reliable standalone phishing indicator.

Significance. If the distributional comparisons are robust, the work supplies a concrete empirical baseline for TLS and domain-feature patterns in a specific ccTLD, reinforcing that individual indicators are insufficient for detection while combinations may retain value. It adds targeted evidence on how phishing infrastructure blends with ordinary low-visibility domains in the .dk namespace.

major comments (2)
  1. [Abstract] Abstract and data-construction description: the central claim of 'substantial overlap' and 'no individual feature provides a reliable standalone indicator' is derived from comparisons across the three labeled groups, yet no sample sizes, statistical significance tests, or measures of variability (e.g., confidence intervals on overlap percentages) are reported. Without these, the strength of the overlap conclusion cannot be evaluated quantitatively.
  2. [Abstract] Abstract and methods: the three comparison groups are defined using external phishing reports and popularity rankings treated as fixed ground truth. Potential selection or reporting biases in these sources (over-representation of obvious phishing sites, registrar-specific coverage in popularity lists) are not discussed or subjected to sensitivity checks, yet any systematic mislabeling directly propagates into the observed feature overlaps and the downstream recommendation about combined features.
minor comments (2)
  1. The abstract states that 'several features show observable differences' but provides no concrete examples or quantitative contrasts for any specific feature (CA issuer, validity period, SAN count, etc.).
  2. No description is given of how domains with missing certificate fields or incomplete SAN data were handled during collection or analysis.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on our manuscript. The feedback highlights important areas for strengthening the quantitative support and transparency around data sources. We address each major comment below and indicate the revisions we will incorporate in the updated version.

read point-by-point responses

  1. Referee: [Abstract] Abstract and data-construction description: the central claim of 'substantial overlap' and 'no individual feature provides a reliable standalone indicator' is derived from comparisons across the three labeled groups, yet no sample sizes, statistical significance tests, or measures of variability (e.g., confidence intervals on overlap percentages) are reported. Without these, the strength of the overlap conclusion cannot be evaluated quantitatively.

    Authors: We agree that the abstract and data-construction description would be strengthened by explicit sample sizes, statistical tests, and variability measures. The full manuscript reports the sizes of the three groups in the methods section, but these details are not summarized in the abstract. In the revision we will update the abstract to include the number of domains in each group and add statistical significance tests (e.g., chi-squared or t-tests) for key distributional differences along with confidence intervals on overlap percentages in the results. These additions will allow quantitative evaluation of the overlap claim without altering the observational nature of the study. revision: yes

  2. Referee: [Abstract] Abstract and methods: the three comparison groups are defined using external phishing reports and popularity rankings treated as fixed ground truth. Potential selection or reporting biases in these sources (over-representation of obvious phishing sites, registrar-specific coverage in popularity lists) are not discussed or subjected to sensitivity checks, yet any systematic mislabeling directly propagates into the observed feature overlaps and the downstream recommendation about combined features.

    Authors: We acknowledge that potential biases in the external labeling sources were not explicitly discussed. The manuscript relies on established phishing reports and popularity rankings as ground truth, but does not address risks such as over-representation of obvious phishing sites or coverage limitations. In the revision we will add a limitations subsection that discusses these selection and reporting biases and their possible impact on observed overlaps. Where data permit, we will also include a brief sensitivity analysis (e.g., restricting to high-confidence phishing reports). This will clarify the robustness of the recommendation regarding combined features. revision: yes

Circularity Check

0 steps flagged

Purely observational comparison with no derivations or self-referential steps

full rationale

The paper constructs three domain groups from external phishing reports and popularity rankings, collects TLS certificate and lexical features via Netlas and DNS, then directly compares their distributions (CAs, validity periods, SAN structure, etc.). No equations, fitted parameters, predictions, or models are present; the central claim of substantial overlap and lack of standalone indicators follows immediately from the observed empirical distributions without any reduction to inputs by construction. No self-citations are invoked as load-bearing uniqueness theorems or ansatzes. The analysis is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Empirical observational study; no mathematical derivations, fitted parameters, or new postulated entities. Relies on standard assumptions about data labeling accuracy and external scanner reliability.

pith-pipeline@v0.9.0 · 5802 in / 1048 out tokens · 45752 ms · 2026-05-21T11:11:39.415606+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

19 extracted references · 19 canonical work pages

  1. [1]

    Nirmal, B

    K. Nirmal, B. Janet, and R. Kumar. Effectiveness of certificate transparency (ct) check and other datapoints in countering phishing attacks. In2023 10th International Conference on Computing for Sustainable Global Development (INDIACom), pages 1450–1455, 2023

    work page 2023

  2. [2]

    Bijmans, Tim M

    Hugo L.J. Bijmans, Tim M. Booij, Anneke Schwedersky, Aria Nedgabat, and Rolf S. van Wegberg. Catching phishers by their bait: Investigating the dutch phishing landscape through phishing kit detection. pages 3757 – 3774, 2021

    work page 2021

  3. [3]

    Analysis of dns graph of phishing websites using digital certificates

    Yuki Ishida, Masaki Hanada, Atsushi Waseda, and Moo Wan Kim. Analysis of dns graph of phishing websites using digital certificates. In2023 25th International Conference on Advanced Communication Technology (ICACT). IEEE, February 2023

    work page 2023

  4. [4]

    Machine learning-based malicious x.509 certificates’ detection

    Jiaxin Li, Zhaoxin Zhang, and Changyong Guo. Machine learning-based malicious x.509 certificates’ detection. Applied Sciences, 11(5):2164, March 2021

    work page 2021

  5. [5]

    Can a tls certificate be phishy? InProceedings of the 18th International Conference on Security and Cryptography, page 38–49

    Kaspar Hageman, Egon Kidmose, René Hansen, and Jens Pedersen. Can a tls certificate be phishy? InProceedings of the 18th International Conference on Security and Cryptography, page 38–49. SCITEPRESS - Science and Technology Publications, 2021

    work page 2021

  6. [6]

    Artech House information security and privacy series

    Rolf Oppliger.SSL and TLS: theory and practice. Artech House information security and privacy series. Artech House, second edition. edition, 2016

    work page 2016

  7. [7]

    Identifying the phishing websites using the patterns of tls certificates.Journal of Cyber Security and Mobility, April 2021

    Yuji Sakurai, Takuya Watanabe, Tetsuya Okuda, Mitsuaki Akiyama, and Tatsuya Mori. Identifying the phishing websites using the patterns of tls certificates.Journal of Cyber Security and Mobility, April 2021

    work page 2021

  8. [8]

    Unmasking the phishermen: Phishing domain detection with machine learning and multi-source intelligence

    Radek Hranický, Adam Horák, Jan Polišenský, Kamil Jeˇrábek, and Ondˇrej Ryšavý. Unmasking the phishermen: Phishing domain detection with machine learning and multi-source intelligence. InNOMS 2024-2024 IEEE Network Operations and Management Symposium, pages 1–5, 2024

    work page 2024

  9. [9]

    Springer International Publishing, 2021

    Florian Quinkert, Dennis Tatang, and Thorsten Holz.Digging Deeper: An Analysis of Domain Impersonation in the Lower DNS Hierarchy, page 68–87. Springer International Publishing, 2021

    work page 2021

  10. [10]

    Malcertificate: Research and implementation of a malicious certificate detection algorithm based on gcn.Applied Sciences, 12(9):4440, April 2022

    Jingru Liu, Nurbol Luktarhan, Yuyuan Chang, and Wenjie Yu. Malcertificate: Research and implementation of a malicious certificate detection algorithm based on gcn.Applied Sciences, 12(9):4440, April 2022

    work page 2022

  11. [11]

    Using llm embeddings with similarity search for botnet tls certificate detection

    Kumar Shashwat, Francis Hahn, Stuart Millar, and Xinming Ou. Using llm embeddings with similarity search for botnet tls certificate detection. InProceedings of the 2024 Workshop on Artificial Intelligence and Security, CCS ’24, page 173–183. ACM, November 2024

    work page 2024

  12. [12]

    Content-agnostic detection of phishing domains using certificate transparency and passive dns

    Mashael AlSabah, Mohamed Nabeel, Yazan Boshmaf, and Euijin Choo. Content-agnostic detection of phishing domains using certificate transparency and passive dns. InProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022, page 446–459. ACM, October 2022

    work page 2022

  13. [13]

    Security analysis on practices of certificate authorities in the https phishing ecosystem

    Doowon Kim, Haehyun Cho, Yonghwi Kwon, Adam Doupé, Sooel Son, Gail-Joon Ahn, and Tudor Dumitras. Security analysis on practices of certificate authorities in the https phishing ecosystem. InProceedings of the 2021 ACM Asia Conference on Computer and Communications Security, ASIA CCS ’21, page 407–420. ACM, May 2021

    work page 2021

  14. [14]

    Magnea Haraldsdóttir, Sajad Homayoun, Emil Lynge, and Christan D. Jensen. Unmasking phishers: Ml for malicious certificate detection.Computers & Industrial Engineering, 198:110652, December 2024

    work page 2024

  15. [15]

    Owned, pwned or rented: Whose domain is it? In2024 APWG Symposium on Electronic Crime Research (eCrime), page 14–26

    Mina Erfan, Paula Branco, and Guy-Vincent Jourdan. Owned, pwned or rented: Whose domain is it? In2024 APWG Symposium on Electronic Crime Research (eCrime), page 14–26. IEEE, September 2024

    work page 2024

  16. [16]

    Understanding the security and performance of the web presence of hospitals: A measurement study

    Mohammed Alkinoon, Abdulrahman Alabduljabbar, Hattan Althebeiti, Rhongho Jang, DaeHun Nyang, and David Mohaisen. Understanding the security and performance of the web presence of hospitals: A measurement study. In2023 32nd International Conference on Computer Communications and Networks (ICCCN), page 1–10. IEEE, July 2023. 17

    work page 2023

  17. [17]

    Dual-layered approach for malicious domain detection

    Nadide Bilge Do ˘gan, Alp Barı¸ s Beydemir, ¸ Serif Bahtiyar, and Umutcan Do˘gan. Dual-layered approach for malicious domain detection. In2024 9th International Conference on Computer Science and Engineering (UBMK), page 1–6. IEEE, October 2024

    work page 2024

  18. [18]

    Sujata Garera, Niels Provos, Monica Chew, and Aviel D. Rubin. A framework for detection and measurement of phishing attacks. InProceedings of the 2007 ACM workshop on Recurring malcode, CCS07, page 1–8. ACM, November 2007

    work page 2007

  19. [19]

    Finding phish in a haystack: A pipeline for phishing classification on certificate transparency logs

    Arthur Drichel, Vincent Drury, Justus von Brandt, and Ulrike Meyer. Finding phish in a haystack: A pipeline for phishing classification on certificate transparency logs. InProceedings of the 16th International Conference on Availability, Reliability and Security, ARES 2021, page 1–12. ACM, August 2021. 18

    work page 2021