how so they supposedly do it?

SSL certificates have a centralized hierarchy. Many browsers trust a long list of root certificate authorities from multiple countries.

https://cyberscoop.com/russia-tls-security-certificate-autho...

https://jpgamboa.com/china-ssl-authority-revoked-by-browsers...

Do some countries force the browser companies to add their root cert, despite abuse?

I imagine so. I understand that Opera GX, for example, provides a specialized version to Russian IPs that locks down the search engines that can be used.

There are always rumours. And some countries simply openly require computers sold in their country to have their root cert.

Including the US right? And I don't mean in a conspiratorial sense. Just in the sense that they wouldn't deny it because it's their home country (Say Windows certs or Google certs), and at the very least they can issue warrants, gag orders, or triple letter agency bypasses.

Now it only sounds weird when a country exherts their national sovereignity because the US doesn't need to perform any additional steps to install any of their Certs, they have hundreds of them by design.

> Including the US right? And I don't mean in a conspiratorial sense. Just in the sense that they wouldn't deny it because it's their home country (Say Windows certs or Google certs), and at the very least they can issue warrants, gag orders, or triple letter agency bypasses.

Yeah. I don't think the US explicitly requires it but they don't have to, there are more than enough US-based entities with root certificates who they could send a National Security Letter to if they ever wanted one. (Also the US FKPI root certificate is at least shipped by some vendors, although it seems to be disabled by default)

is there oss that will scour and identify iffy certs on a box?

One attempt I know of: https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a... There might be others.