Why do browsers allow custom root CAs?
As pointed out in comments and answers, there are plenty of legitimate reasons why you would want to add a CA to your browser's trust store, and the mechanisms for doing this require admin access to the machine / browser.
You're implying a trust model where you don't consider your administrator (or past you) to be trustworthy and would like the browser to visually distinguish between a certificate that is publicly-trusted (ie issued by a CA in Mozilla's publicly-trusted list) and one that is privately-trusted because it was explicitly added to the browser's trust store. Maybe the usual green with a warning symbol for privately-trusted?
Good idea! It would also solve my problem of needing two copies of firefox installed: one for testing products that need me to install certs, and one for browsing the internet. You should see if Firefox already has an enhancement for this, and if not, suggest it :)
What you want is to have the browser defend the user against "attack" performed by local administrator.
In such scenario, defense is impossible. The "malicious" admin can always substitute your legit Firefox for an impostor he compiled using his own CAs, that will display green padlock. When you're at work and you're using someone's machine (company's in this case), you're 100% at mercy of the machine owner. If the company wanted to snoop you covertly, they can always install keylogger and see your passwords before they even reach a secure browser.
The green box doesn't indicate safety against local threat, it indicates safety from remote snooping. In this case, it indicates secure connection to your TSL inspector. It indicates that your coworkers in the same LAN can't snoop your passwords, hence the green icon. What happens after the inspector is responsibility of your network admin and the browser cannot tell if it actually uses HTTPs.
What you can do, as an user, is to view the certificate and examine it's certification path. Your browser can't decide if certificate issued by DigiNotar is "better" than one issued by EvilCorp (which may happen to be your employer). Certificates are constantly changed and the CAs also are changed. Browser can't decide if one CA is more trustworthy than the otwer. Only you can decide who is the issuer and if you can trust them - and with what kind of information. You're supposed to use the machine only for work-related activities, so technically you're not doing anything you don't want EvilCorp to see.
- Because the official list changes over time.
- Because enterprises have a legitimate need to include "Internal" CAs.
- Because enterprises have a legitimate interest in being able to Man-in-the-Middle for security, compliance, or HR purposes.
- Because developers and testers have a legitimate need to Man-in-the-Middle.
Would you rather be trusting StartCom today? That's what you'd get with non-trivial modification.