Skip to content
Lightweight program that pollinates STHs between Certificate Transparency logs and auditors
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


The Certificate Transparency Honeybee (ct-honeybee) is a lightweight
program that retrieves signed tree heads (STHs) from Certificate
Transparency logs and uploads them to auditors.

You can help strengthen the integrity of the Certificate Transparency
ecosystem by running ct-honeybee on your workstation/server/toaster every
hour or so (pick a random minute so that not everyone runs ct-honeybee
at the same time).  Running ct-honeybee from many different Internet
vantage points increases the likelihood of detecting a misbehaving log
which has presented a different view of the log to different clients.


Python 3 is required.

Install ct-honeybee and put it in a cron job to run once an hour or so
(pick a random minute so that not everyone runs ct-honeybee at the
same time).

ct-honeybee is stateless and won't write to your filesystem.


All logs trusted or pending inclusion by Chrome are audited by
ct-honeybee.  Currently the list is hard-coded in the source code.


ct-honeybee uploads STHs to the following auditors:

If you run an auditor that implements the sth-pollination endpoint
described in Section 8.2 of draft-ietf-trans-gossip-00, please get in
touch <> and we will add you to ct-honeybee.


1. For each log: fetch the latest STH and add it to the list of STHs.
   For simplicity, signatures are not checked; we leave this job to the

2. Shuffle the list of auditors.

3. For each auditor: upload the list of STHs to the auditor using the
   protocol described in Section 8.2 of draft-ietf-trans-gossip-00.
   Add each returned STH to the list of STHs so they get pollinated
   to subsequent auditors.  Since we shuffle the list of auditors,
   we will pollinate in a different order each time ct-honeybee is run.


Written in 2017 by Opsmate, Inc. d/b/a SSLMate <>

To the extent possible under law, the author(s) have dedicated all
copyright and related and neighboring rights to this software to the
public domain worldwide. This software is distributed without any

You should have received a copy of the CC0 Public
Domain Dedication along with this software. If not, see
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.