[ColanR]

I believe the article mentions that, but also notes your method works for low-traffic situations. The 0day is a high-performance alternative.

[thaumaturgy]

ipset is very fast (http://web.archive.org/web/20160514091316/http://daemonkeepe...).

The author's approach requires examining a certificate to see if it matches a pattern that may or may not change in the future.