Let's face it. Intercepting https requests to redirect users to the login page, is a bad idea. And as we move forward and more sites start using HSTS, it gets worse. it also undermines the seriousness of certificate error messages by the browsers as users could easily get used to that and click continue as soon as they see the message anywhere.
Using https for the login page in a LAN environment however, is a good idea(as long as you bother getting a valid cert) as it would allow securely transferring users credentials. The TLS layer, would ensure that to some very good extend.
The default behavior of Mikrotik hotspot when using https authentication method however, is to also intercept all 'un-catched'(as in there is no Walled Garden IP rule for it) and unauthenticated https traffic and redirect them to the login page. this of course results in an ugly certificate warning message in the users browsers.
Luckily, we are able to disable this interception by a NAT rule in pre-hotspot chain, accepting dest-port 443 if the traffic is coming from an unauthenticated client and is not destined to the device itself. This however, also disables the neat feature of Walled Garden(No, i do not mean Walled Garden IP), which is capable of dynamically allowing access to https hosts for unauthorized users by comparing the destinations IP address to the local DNS cache(at least i think that's how it works). I really like this feature. it works reliably, does not add any additional IP based rules in filter/nat tables(unlike Walled Garden IP), and can perfectly handle the most complex domains with hundreds of IPs and very low DNS TTL as long as clients use Mikrotik DNS server exclusively (which is the case in hotspot enviroment).
Unfortunately, it does not seem easy to reliably differentiate between the encrypted traffic for when the router is trying to intercept an external host, from it trying to display it's login page directly (both use the same local port: 64875 ). This means we effectively loose Wallden Garden functionality for port 443 as well.
Probably the best way to deal with this, is by adding a new option in hotspot server settings to disable interception of port 443 for external hosts without sacrificing walled garden functionality.