Ebikes might have more positive impact, but that doesn't matter unless you can convince a critical mass of people to use them instead of their cars. I say this as someone who thinks ebikes are cool, but that's absolutely not going to happen in any significant way at least in the US. Replacing a gas car with an ebike requires a significant shift in your lifestyle, which most people either can't or don't want to do. The benefit of a BEV is that you can mostly use it exactly like you use the gas car you already have, with some added benefit of being able to "refuel" it at home while you sleep. Changes that people actually adopt are at the end of the day the most impactful ones.

It seems like the problem here isn't the use of checklists, it's that the checklists in question contain questionable stuff like "enforce frequent reauth". Systematically checking for the presence of good things and the absence of bad things seems like a good idea both from a security and consistency perspective. Of course the trick is making sure your "good" and "bad" lists are well thought out and appropriately applied.

That's not a bad setup, but now your DNS requests to the root servers aren't encrypted, which means anyone between you and the root servers can see the requests. I guess it depends on whether it's more likely that someone is snooping the requests off the wire or that the server you're sending the requests directly to is snooping on them in addition to just resolving them.

I think the ideal solution would be if the root servers adopted encryption of some sort. But I can see why they're somewhat reluctant to do that, especially with relatively heavy protocols (compared to DNS) like DoH or DoT.

Edit: With the existence of QNAME minimization, I guess I should say that the requests to the root servers or authoritative DNS servers are unencrypted. This does at least spread out the risk a little, since other than your ISP there's probably some variation in who is actually between you and the various servers you're making requests to.

Even ignoring the question of the technical merits of DoT vs DoH, the way the author transitioned from "Cloudflare bad" to talking about DoT made no sense since DoT as an alternative does not solve the problems raised earlier in the post. Is the author opposed to DoH as a protocol or opposed to sending DNS requests to a company they don't like?

If we're getting into the technical part of the discussion though, I personally don't think DoH or DoT are great protocols for DNS. Security is fine, but it's a lot of overhead for relatively small requests where latency matters. I wish DNScrypt had gained more traction as an encrypted protocol designed specifically for DNS.

True, but at the end of the post the author also explicitly rejects the idea of the DoH protocol in general on questionable technical grounds, so clearly their objection isn't just Cloudflare. I think the argument would be a lot clearer if they didn't conflate "using Cloudflare for your DNS" with "using the DoH protocol for DNS" even if they think both of them are bad.