This is sort of obvious. Facebook's key is signed by a well-known CA. Anyone can make a cert for anything, but that doesn't mean that browsers will recognize it as being "valid".

The author fails to mention how this any more "broken" than TLS on anything else.

This is a valid certificate issued by GlobalSign, parse it yourself (the link is in the post)

(well, now revoked, but still...)