at the moment just using express.js I think but @nite can confirm. we could serve https over port 80 but unless the device endpoint is not also serving https which I understand is forced your end I’m not sure how the browser would handle it, i guess first pass is try it.
On the no need to add encryption because of the Device ->VPN->Visitor traffic route means that there is a high degree of trust placed in resin.io as the proxy operator and only person to have visibility of the devices that operate the VPN->visitorTraffic coupling.
I imagine certainly in the data collection scenario that asset owners are more than happy for you to provide the management services but will want the assurance that only their own PKI can provide to their data, also in the Device->VPN->visitorTraffic there is only a token issued by yourselves to provide authentication to both ends and no ability for customers to apply there own PKI systems. not utilising TLS anyway