TLS Certificate and Domain Feature Analysis of Phishing Domains in the Danish .dk Namespace

Computer Science > Cryptography and Security [Submitted on 23 Mar 2026] TLS Certificate and Domain Feature Analysis of Phishing Domains in the Danish .dk Namespace Athanasios P. Pelekoudas, Epameinondas Bolis, Jasmin Lindner, Prodromos Kyriakidis, Mathias Davidsen, Johannes T. E. Hansen, Christian H. Reichkendler, Sajad Homayoun Phishing attacks remain a persistent cybersecurity threat, and the widespread adoption of TLS certificates has unintentionally enabled malicious websites to appear trustworthy to users. This study examines whether certificate metadata and domain characteristics can help distinguish phishing domains from benign domains within the Danish .dk namespace. A dataset was constructed by combining registry information from Punktum dk with phishing reports and popularity rankings from external sources. TLS certificate attributes were collected using Netlas, while additional domain-based features were derived from DNS records and lexical analysis of domain names. The analysis compares phishing, popular, and less frequently visited domains across several feature categories, including Certificate Authorities (CAs), validity periods, missing certificate fields, SAN structure, registrant geography, hosting providers, and lexical properties of domain names. The results indicate that several features show observable differences between phishing and highly popular domains. However, phishing domains often resemble less popular domains, resulting in substantial overlap across many characteristics. Consequently, no individual feature provides a reliable standalone indicator of phishing activity within the Danish namespace. The findings suggest that certificate and domain attributes may still contribute to detection when combined, while also highlighting the limitations of relying on individual indicators in isolation. This work provides an empirical overview of phishing-related infrastructure patterns in the Danish .dk ecosystem and offers insights that may inform future phishing detection approaches. Subjects: Cryptography and Security (cs.CR) Cite as: arXiv:2603.21652 [cs.CR]   (or arXiv:2603.21652v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2603.21652 Focus to learn more Submission history From: Sajad Homayoun [view email] [v1] Mon, 23 Mar 2026 07:30:05 UTC (509 KB) Access Paper: HTML (experimental) view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-03 Change to browse by: cs References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)