Security Planner

Security Planner is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It's not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I don't see it replacing any of the good security guides out there, but instead augmenting them.

The advice is peer reviewed, and the team behind Security Planner is committed to keeping it up to date.

Note: I am an advisor to this project.

Posted on December 14, 2017 at 7:01 AM • 49 Comments


PatrickDecember 14, 2017 7:20 AM

A pity I haven't been able to test it. With javascript turned off (recommendation!), it does nothing but show a blank page. OK, if I trust securityplanner - it changes colour, loads a tracker, and then I would have to allow loading of scripts from third party domains. Nope. Won't do.

GeorgeDecember 14, 2017 7:38 AM

I'm disappointed that they left out any advice about limiting administrator accounts on Macs & PCs.

George H.H. MitchellDecember 14, 2017 7:47 AM

+1 Patrick! Aargh! Even if you enable (thank you, NoScript!), it still wants to talk to and And they claim to promote security?? Surely they are capable of coming up with a non-javascript version of whatever it is they do.

Dr. I. Needtob AtheDecember 14, 2017 7:53 AM

Add me to the list of readers who clicked the link and saw only a blue-green screen with a tiny revolving widget in the center.

Why it that, when obviously my browser has no problem reading THIS site?

PhDecember 14, 2017 8:11 AM

It seems I'm too safe for it to assess my safety.

"JavaScript is disabled
This guide uses JavaScript. Please enable it in your browser settings to continue"

No thanks, I'm not sacrificing safety for a safety assessment.

0LAfDecember 14, 2017 8:33 AM

Well I think the people this is aimed at are not too likely to be running no-script, ghosterly or any other preventative software.

I had a look and yes it's a nice wee site. Doesn't need any log in or personal data (analytic excepted).

Happy to point the masses at it.

Bill CostaDecember 14, 2017 8:34 AM

Ran afoul of my JavaScript and tracker blocking as well. Actually that would be a good first test for any security advisor, detect that JavaScript is not being executed, and congratulate the user and either proceed without any need for JavaScript, or if that is not feasible, explain how the site will be using JavaScript so people can decide if they wish to enable it to proceed.

Dr. I. Needtob AtheDecember 14, 2017 10:33 AM

"explain how the site will be using JavaScript so people can decide if they wish to enable it to proceed."

Sure, why not let the land shark in if he explains "I'm only a dolphin, Ma'am."

Andreas SchlethDecember 14, 2017 11:15 AM

Improve your safety with tools for your needs.
Answer a few simple questions to get personalized recommendations of free and open-source software. It's confidential -- no personal information is stored, and we don't access any of your online accounts.
Warning Icon
JavaScript is disabled
This guide uses JavaScript. Please enable it in your browser settings to continue.

security measure #1: disable javascript!

WaelDecember 14, 2017 12:09 PM

Missing one item:

Concern: I want to speak my mind on and not become a person of interest!

Answer: Dawg! Use a sockpuppet on a Tor connection, and be mindful of your writing style. You may also want to incriminate someone by compleatly mimicking how they write.

Who cares ?December 14, 2017 12:09 PM

Bruce Schneier should not be proud being an advisor of this poorly-designed site requiring JavaScript and possibly more ! Isn't he supposed to be *the* expert among the experts ?

RussDecember 14, 2017 1:22 PM

"Chromebooks" should be among the listed platforms on the first question. They're an excellent security platform for your average non-techie web surfer.

Peter BoughtonDecember 14, 2017 1:34 PM

Super professional:
<!-- TODO: clean up header before deployment, remove http:// and unsafe-inline entries -->

Also disappointing that Bruce didn't review the site and raise these issues before promoting it.

echoDecember 14, 2017 2:01 PM

Within the context of my own use model I tested this tool. The answer provided after clicking through didn't provide a rounded answer only a partial answer which itself while very useful lacked context. I will provide some feedback and comment.

The use model I tested was using an Android phone with a risk of harssment. In practice this can include theft of a phone (or in some cases blocking of access to a phone). The answer was to enable backups. Indeed, this provide a way out as a replacement phone can be used to access the data once restored. There are theoretcial issues with this insofar as some data may be sensitive for third parties who may not like data which connects with them being uploaded to an external internet medium owned by another party. Offline backups are possible but require more effort.

My use model covers other questions asked by this tool. I am alrady aware of the meta data and legal issues. In theory this may involve a human rights discussion especially in less benign environments. Well publicised methods exist to avoid the threats. Without further testing of this tool I cannot confirm with the tool is adequate but on the results obtained so far am confident the tool is useful.

My comment is probably a question really. Following on from the previous topic which raised questions about ownership of the endpoint and consent I wondered if a security guide could be produced which is helpful when dealing with abuses within large organisations. I perceive this tool in a similar light as it goes some way to enabling the citizen to understand and guard themselves against abuses. Would it be possible and useful to build on this tool to provide similar help in more organisational or social contexts?

65535December 14, 2017 2:08 PM

@ Patrick, George, George H.H. Mitchell, Dr. I. and the Needtob Athe

“I trust securityplanner - it changes colour, loads a tracker, and then I would have to allow loading of scripts from third party domains. Nope.”-Patrick

I basically get the same with uMatrix. Add me to the list of No thanks.

@ Albert

Your link doesn’t require java but the actual tool page seems to need it :-(

Petre PeterDecember 14, 2017 2:22 PM

No tcp/ip blocker recommendation for privacy issues . Good for augmentation as long as it doesn’t bring on the flood.

Oh reallyDecember 14, 2017 2:37 PM

"Chromebooks" should be among the listed platforms on the first question.

Strongly disagree.

GwenDecember 14, 2017 2:44 PM

Couldn't get it to work on tor-browser. Won't load unless javascript is enabled. Won't work unless you allow a bucket load of third party content.

Security check? A self-defeating exercise.

echoDecember 14, 2017 2:45 PM

I approached this tool as an ordinary person. If I was nitpicking and paranoid I suppose I would complain about Javascript and use Tor but this creates a lot of other problems. Thankfully my useage model is fairly benign. The only people who should worry about me as an entity are jobsworths or people breaking criminal law.

bttbDecember 14, 2017 4:23 PM

I've been playing with this PC internet-browsing configuration?

Use VirtualBox with guest vm

note: NoScript, off by default, is easily enabled (via Firefox Add-ons, of course)

Panopticlick results ( )
about 1 in 10,000 with NoScript enabled
about 1 in a half-million with NoScript disabled

albertDecember 14, 2017 5:28 PM


Yes, JS -is- required by the site, but at least we can visit CL w/o it. Never saw the CL webpage before.

Is blocking JS the first item on the page? I guess I'm one up without even reading the paper.

. .. . .. --- ....

MrCDecember 14, 2017 10:25 PM

@ Ben
I'd recommend using them both. They serve distinct, if overlapping, purposes. I'd also add uBlockOrigin, but disable the filter lists it shares with uMatrix.

oh reallyDecember 14, 2017 10:37 PM

"What are the thoughts on Umatrix compared to NoScript?"

It's like comparing gophers to mountain dew? Just how do you intend to compare them?

meDecember 15, 2017 3:51 AM

To every one who say "this is shit because it require javascript" read this:
i'll repeat once again:

i yet have 2FA, Qubes OS, no script/umatrix/httpseverywhere/ublock origin/turned off passive mixed content, and so on... so i was not searching an advice, i was courious to see it.

but i think that the site nice and well made, with useful and smiple/doable advices.

for example it told me "if you can do one thing do this: turn on 2FA"
this is important because most of the people will be pwned not because a java script zero day in a https website but because of credential pishing, and 2FA can save you.

i would like a working no script version but come on that's how websites works today. i use noscript when possible (almost always) to stop tracking, prevent popunders, prevent abusing my cpu time (mining), and all the nasty things that people do with it but i think that for this website we can do an exception, can't we?

i always used no script, switched to umatrix because with the latest firefox it stopped working. no script *was* a more complete security suite (xss, clickjacking...) while umatrix has a more fine control on what is allowed and what is not (images, frames, scripts, ...).

i don't like the new No Script GUI so i'm now using umatrix, the main difference is that umatrix doesn't support noscript tags so you won't see messages like "please enable script to have this site working"
sometimes it is useful because many websites blame that they want scripts while they works perfectly without, but sometimes this fallback is useful.

Robert KnoxDecember 15, 2017 6:09 AM


A polite request (genuinely, no sarcasm intended): since you are an advisor to the project, would you consider conveying to them that a lot of people who care about online security are slightly miffed about not being able to even load the page when they apply some of the most basic protective measures against fingerprinting, tracking and spread of malware?

GeorgeDecember 15, 2017 9:45 AM

JavaScript is much less of an issue if you're not running as ADMIN on your box, and also if it's reasonably up to date.

Who?December 15, 2017 9:56 AM

@ George

It depends. Is the goal avoiding the bad guys putting a flag on the root filesystem of your computer? Then you are right, JavaScript is mostly not an issue if running without admin/root privileges.

Is your goal protecting your privacy and/or your data stored on the computer? Then JavaScript is a serious concern even if not running with high privileges.

Fred PDecember 15, 2017 10:09 AM

The concept seems good. Looking at the sources, though, I wonder about the "Content Security Policy" - there are a number of http:// entries (as opposed to https:// on that line, and there's a warning below that line that the http:// entries should be removed.

The source, should you be interested: http://localhost:35729; img-src 'self' data: https: http:">

And yes, I needed to unblock a number of sites from NoScript to get anything to run. I'll re-block those now.

Peter PearsonDecember 15, 2017 10:16 AM

Let me guess: if I enable Javascript in order to view the site, I'll get a page telling me I've flunked the security quiz.

MikeADecember 15, 2017 11:36 AM

uh, Mike: "Apply your updates"

You mean like the folks who updated to MacOS 10.13 and got a free bonus passwordless root login installed? No Thanks.

Clive RobinsonDecember 15, 2017 1:37 PM

@ George,

JavaScript is much less of an issue if you're not running as ADMIN on your box

A few years ago when the main aim was to get at the PC to bot it, but these days it's more likely they are after any IntProp on your machine or on servers you are connected to.

Thus they look at two areas to attack, anything in the browser process memory, which compared to old CLI/OS protections is realy quite awful security wise. From this they can bridge across to any other servers you are connected to in the browser.

The second problem is getting access to the storage the user has both locally on any network connected storage etc.

Files that end in .doc .pdf etc become prime candidates. Even if not labled as such most file formats are either a plaintext protocol like CSV, RTF etc which are usually easy to recognise, or they have "magic numbers" as the first few file bytes, which again are easy to recognise and usually check.

As they are looking to copy the files out not put files in, it makes their tracks much harder to track as they don't change the file system in a way the user might easily see.

So it realy depends on what the attacker is doing, as to how much of a threat javascript is and the not so good sandboxes it's not supposed to "Do the Houdini" out of.

albertDecember 15, 2017 2:03 PM

"...or they have "magic numbers" as the first few file bytes, which again are easy to recognize and usually check...."

I wonder...I've seen files marked .jpg, but were actually .png files. Changing the extension fixed the problem. File extensions aside, how about changing the first 2 bytes of a file before sending? Your recipient changes them back before opening.

. .. . .. --- ....

echoDecember 15, 2017 2:24 PM

So basically rattles are being throuwn out of the pram over Javascript because people are assuming a worst case scenario and advocating the strictist minimalism? What if either: A.) The use case is being given the cart before the horse treatment and B.) The response is overkill leading to C.) Lack of driving positive change with respect to Javascript implementations and getting the mass audience on side?

I haven't read anyone else indicating they have actually used the tool or provided a review from an end user perspective.

Clive RobinsonDecember 15, 2017 4:07 PM

@ echo,

So basically rattles are being throuwn out of the pram over Javascript because people are assuming a worst case scenario

No, rattles are not been thrown, and yes, Javascript is a worst case scenario.

That is you are downloading unknown code that you have no idea what it does onto your computer where it executes in a supposadly restrictive environment, which has on more than a number of occasions proved to be bad news security wise.

Also it's not going to get any better W3C realy needs it's head looking at preferably with a 14lb sledge hammer. It's overly pesimisive, overly complex and of little or no use to users API's that exfiltrate all sorts of data to the upstream data thieves, are without a doubt a disaster that is going to happen. The real question of interest being is it going to go bad tommorow or realy realy bad next week...

Now you might decide that this is a pessimistic view point, but look at it this way, if you live in one of the less salubrious streets in the world do you just let any individual into your sitting room to do as they please? I suspect most would answer NO quite emphaticaly. Well that's what you are doing with javascript and will be with WebAsm etc.

It's not wise behaviour and it will at some point get a lot of people hurt.

Thus rather than question those who say it's unwise, you realy should be turning the 10mega candle power spot lights on the motives of those pushing it...

Clive RobinsonDecember 15, 2017 4:23 PM

@ Albert,


The "magic" process is a little archain and goes back to BSD Unix in the early 1970's. But because it's so darn usefull it's still struting it's stuff today and probably will for some time to come.

Rather than me describe the process have a look at,

And read down about "magic" and it's corresponding lib file.

You will find that like the "strings" command[1] it's one of lifes little essentials for puting files and file systems into a state where you can get data out of them when they have been "cattle trucked".


echoDecember 15, 2017 4:29 PM


Yes, this is why I have been going on about layered models and a proper evaluation of context. While this is orthogonal to this specific discussion I will cite the new NICE guidelines on vaginal mesh implants as an equiavlent. The conclusion by one expert is he viewed the scandal unfolding for seven years and that while the guidelines are welcome they are effectively too late. He concludes this beggars the question of whether people either "have their heads in the sand or do not know what they are doing". (His view is in the second url linked to by the first article.)

I propose a solution to this needs to be designed as well as alternative reference implementations.

Change is possible in even the most hostile environments but does require a degree of political will and cooperation much like, I suppose, the cryptograpyhy wars. Sometimes the most critical necessary change can provoke a backlash from vested interests but if the historical moment for change is there?...

AJWMDecember 15, 2017 4:42 PM

Pondering this, and I'm not at home to try it on those systems, but if I set the suid-bit on the browser executable (and owned by some sandbox account), would it be reasonably safe to enable JavaScript? Obviously I'd then have to xhost + the sandbox account, but that's a small attack surface (browser->javascript->Xserver->my-stuff). (And yeah, I have to make sure system files aren't readable by sandbox. Or maybe run the browser in a docker container?)

Just tossing some ideas out. I mostly run NoScript.

Clive RobinsonDecember 15, 2017 7:16 PM


Or maybe run the browser in a docker container?

You are entering the domain of "the lesser flea"[1] and in that direction lies madness...

To look at it another way, you have a sandbox within a sandbox, the idea being that as neither are perfect they should cover each others weaknesses.

Abother way of looking at this might be the layers of an onion. But this implies passivity which means you think you have probability on your side. That is the chance of each layer randomly having a hole in the same place is very small. However it does not work that way with active attackers, thus it's more like a simple combination lock where the tumblers can easily be "felt" thus it does not take much skill to align them and get the door open and the treasure out.

To make matters worse the number of holes or slots in each tumbler goes up with time as new attack vectors are found or new methods discovered. This means the ease of opening becomes a lot easier quite rapidly with time. Which is not what you want in a security product...

So rather than enter this "nightmare of twisty little passages" taking you ever downwards, it's way easier to just blow up the entrance to the first cavern and walk in the sunshine. That is not to ever run code on your system where the provenance etc is unknown or can not be 100% verified not just by code signing but various formal methods.

Because as has been demonstrated by both the NSA and FBI you can in no way get code across the Internet that has "good provenance". They can steal or gain legal access to the signing keys so all the code arriving across an insecure channel --which is the very definition of the Internet MO--is dangerous. This includes all the stuff that comes down the turnpike of "Patch Tuesday" etc.

As has been observed "Security is either air tight or whistling in the wind." and it sure is not airtight with our current ways of doing things...

Thus the golden rule is,

    Don't trust it, don't run it, and without strong unpervertable verification there can be no trust.

[1] In 1800's English Universities much of logic was taught as part of philosophy (or law). Things were changing and a poem appeared with the line,

    And on their backs are lesser fleas and so ad infinitum

The US version involves a story about a woman describing the world as being on the back of a turtle, when asked what the turtle stood on she replied "On another turtle, yes sir turtles all the way down". Avid readers of Terry Pratchett will already know this. Oh and readers of Douglas Adams should remember about climbing out of the window before getting transported to Frogstar B. Infinite recursion or regression has got a long floaty white beard from all the stories it's just hidden under the surface of ;-)

PerryDDecember 16, 2017 5:58 PM

Can’t get past the first question. What does ‘handle your personal information’ mean? Why would I use online shopping to ‘handle’ that?

TRXDecember 17, 2017 8:16 AM

"Your browser doesn't support some features used in this app. Please upgrade to Firefox or Chrome for a better experience."

"App"? Is this for mobile phone users only? There's a picture of people waving phones around.

A security thingie that only runs on a browser with baked-in spyware is risible.

RoverDecember 18, 2017 4:25 AM


It is a pity the aim is to provide security assessment and planning and yet it does not operate in Tor Browser. I have found a lot of supposedly security related stuff won't work in Tor Browser and yet one of the question in this planner is about anonymity.

Even Linux Firefox 57 is not good enough.

May be this is an alpha version.


nanashiDecember 19, 2017 1:28 AM

>JavaScript is disabled
>This guide uses JavaScript. Please enable it in your browser settings to continue.

Well, OK. I guess I'll turn on JS from a sandboxed VM to avoid fingerprinting. Getting Tor Browser, enable temporarily allow scripts...

>Your browser doesn't support some features used in this app. Please upgrade to Firefox or Chrome for a better experience.

Just wow. Not only does it require JS, but it requires reducing the security slider and enabling fairly unsafe features. I have to jump in on the bandwaggon now. This is just sad.

To all those saying JavaScript is not a big deal and blah blah, realize that the issue isn't just exploitation. Fingerprinting can be done with 100% or near-100% accuracy, uniquely identifying your system regardless of what OS you booted into or what browser you are using, and those fingerprinting methods require JavaScript. Ex. WebGL fingerprinting, audiocontext fingerprinting.

nanashiDecember 19, 2017 1:38 AM

Well I went through the planner. To anyone who wants to do it but (justifiably) don't want to enable JavaScript, I can tell you it's really not worth it. This may just be my own biases as someone who prefers to draw up an attack tree or at least think through a threat model, but even for the layperson, it seems quite limited. I mean it doesn't do much other than link you to things like the EFF's classic surveillance self-defense page, whereas I was expecting something that gave basic threat modeling assistance.

It seems far more effort has been put into making this site look all hip and mobile, with lots of AJAX and flashy smooth animations that slow almost to a halt when JIT is disabled, than has been put into making it actually useful Maybe it's good for someone who is constantly on their mobile phone 24/7 and doesn't even know what a proxy is, much less what Tor and OPSEC are, but I doubt it'd be of any relevance to anyone for whom the name "Schneier" even rings a bell.

Anonymous2cDecember 20, 2017 7:08 PM


By JIT do you mean just-in-time (JIT) compilation?

How about downloading Tor Browser Bundle, TBB, and use TBB with or without Tor?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.