Wow. So after a lot of discussion and some digging by others, it looks like Trustcor, a root #CA in all your browsers, was fundamentally compromised (for at least 3 years, and possibly still ongoing), so much so that the current owner may not even realize it. You can read the details via Mozilla's dev-security-policy@mozilla.org at https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/Equ9-qk5BQAJ