From there, you can have as much TLS as you want, but that still won't give you server identity unless the server certificate is signed by someone you already trust. So a generic web browser would be screwed, because you either add SlateTruckCertificateAuthority to the globally trusted list, and then you still have to deal with revocations and certificate expiry, or you use some other CA that is willing to delegate. There's no good support for self-signed certificates or pinned certificates, and even if there were, the initial connection would be tough.

Unfortunately this really isn't a well-solved problem. Bluetooth can get you part of the way there, but it only offers really good security in theory (in practice it is constantly having issues) and it is intrinsically limited.