That isn't clear.
The EFF pages don't explain how it works. But I know Peter and his work so my guess is that he is using the fact that most Web servers that have a certificate installed will allow access to any of the Web sites hosted on the machine via SSL. He has suggested this approach several times in the past at any rate and it is the only model that fits the circumstances,
So BoingBoing.net would not need a certificate for its own site if it is co-hosted on a machine with bigshoppy.com which has a certificate for accepting credit card payments.
This is very close to a model that the IETF has been working on called promiscuous security. It does have certain advantages as a defense against the black arts of the NSA. But like Bruce Schneier points out, brakes are good but if you think your brakes are better than they are, you are likely to find they cause you to crash when they fail.
What Peter is giving up here is authentication. Which means that he is only providing protection against passive surveillance. He is not really providing protection for WiFi as stated in the article.
There are models that could extend the scheme to provide some degree of authentication. One of them is DANE. Unfortunately that is rather compromised by the fact that it is built on DNSSEC and the US government has defacto control over the DNSSEC root. That does not enable an actual attack but has led several of the governments we are most worried about to strip out DNSSEC data at their national firewalls.
I have proposed a scheme called Omnibroker which could be used to address the authentication gap through a heuristic approach. But my focus right now is end-to-end email security.
Incidentally the IETF is meeting in London at the end of the month and we are discussing these very issues.