Re: Obvious problem here.
It is basically a legal requirement for schools to intercept all Internet access and to push local SSL certs so that they can intercept SSL sessions for, e.g. Google queries.
It's a requirement of things like extremism-detection, etc. but also just basic control of the service.
Otherwise, quite literally, the children will run riot in any lesson that uses the Internet onto anything they like. Because any SSL session that's unmonitored is basically a proxy for them to get onto everything they like. Which is a breach of basic child protection.
You can talk until the cows come home about "teacher supervision" etc. but it's impossible to stop a class of 30 rowdy kids with a non-IT teacher from Alt-Tabbing to their favourite proxy service (which change daily, and even include things like the Internet Archive, Google cached pages, etc.) when they're not looking. They are incredibly quick and smart about it and, sure, probably I'd spot most things if I was in the room long enough, but I'm an IT Manager for schools so you'd expect that. The average teacher doesn't stand a chance, especially with mobile devices and a "real" task set to do research on the Internet.
And no filter in the world would be worth operating if you can't intercept SSL on managed workstations. It would literally never pick up anything but SSL sessions to Amazon AWS, with no hint of what's actually being viewed.
Nobody suggests that people should be breaking connections on home wireless, guest networks, etc. (which should be filtered appropriately by user / whitelist anyway!) for no reason, but to suggest that totally removing the ability to intercept SSL and whitelist certain certificates on the machines to enable them to wrap connections to an intermediate filter? That just kills government-mandated diligence on the use of school Internet connections. You will quite literally just stop schools using the Internet for such things. Some may say that's no bad thing, but they didn't come from a generation born without knowledge of even Windows Vista, who grew up with technology at their fingertips, who are tapping all screens expecting them to be touch-capable from age 3, and whose schools have millions of pounds of investment in online resources and services for everything from paying your lunch money to checking out your library book to submitting your homework.
You could quite radically set back advances in education by 20 years or more... that's how long I've been doing IT in schools and Internet access is a basic tool that's been present since the beginning of that.
"Just whitelist?" I hear you say. Okay. I have FIVE different vendors at the moment who all insist I whitelist the entirety of the Amazon AWS IP ranges (literally a copy-paste of every IP that Amazon says they could end up with). What do you think that does when you then visit any random page that happens to be hosted on those ranges?