I think HTTPS for IoT (especially 8-bit uC) is difficult or even impossible. TLS certificates for small devices are impossible (internal IP). Messages from the browser are confusing for normal users. I have developed a concept for secure login and symmetrical encryption of the data transmission (see pic in attachment). Would like to discuss that.
It's a modern-day paradox when you think about it...
People wanting supreme ease of connectivity, instantly, between their devices...
yet this aim is supposed to be compatible with safeguards to block any unwanted connections to their devices.
You may have a solution today for a certain device, but tomorrow someone will invent a malware app that bypasses your safeguard.
Sometimes it makes sense to use simple encryption. It depends on the application. When there is a propriate system often there is not much interest to "hack" the data stream.
The bigger the system (internet communication via Windows) the more people try to find out how to decrypt the data ... investing some time and maybe money.
But for your homebrew air condition control (for example) the neighbours probably won't spend much effort to get into your system.
Of course, absolute security is an illusion. There are security apostles who have never written a line of source code and unsettle users. Does a light switch have to be encrypted? Who makes the effort to attack it.
I wanted to make a protocol that was simple, implementable and "invisible" to users. It's shure not HTTPs.
It cost 5kB ROM and 50B RAM (8bit PIC). The access has become irrelevantly slower.