SSL Cert for client side web application, is it needed?


Introduction

I have tried to find good answer for it, but I haven’t gotten good article about this topic.

Since there are 2 types of client applications (in bigger picture) – one that runs on server and one that you download and runs in your browser.

My question comes in about the one, that runs in your machine (that you download at first visit – Blazor WebAssembly to be specific).

Questions

Do I need to enable SSL (HTTPS) for this application or web server, that hosts this application as well or is it not needed in the end?

Does only having API connection encrypted be enough?

Background

Yes, this is a cost saving masure, since this is for my hobby project and I would like to keep running costs as minimal as possible. But since I still exchange data, that should not be seen by 3rd party, this application needs to be secure.

To enable HTTPS I would need second Static IP, which is 3$ a month (which is not much), but again, it is additional cost for me, that I would rather not have.

Any book/resource on ssl, client auth using cert, server auth pgp, keys, etc [closed]

Is there any book which can cover security from certs point of view in detail. I want topics like

  1. SSL certs for webservers/ sites
  2. Security certs for authenticating clients rather username/password
  3. PGP keys, ssh keys anything realted
  4. CA cert chain, bundle , database certs
  5. diff types of formats of certs , keys
  6. Security at diff layers of OSI Model /protocols

RDP with self-signed cert requiring password before launching display

I’ve noticed that the search engine Shodan grabs screenshots from hosts running an RDP service, even if they offer a certificate.

To my understanding, the certificate is used to authentify the server, and encrypt the traffic sent and received (exactly like they are used in HTTPS), and thus should be irrelevant to the protection of hosts exposing RDP to the internet, but when I try to connect to such a service using xfreerdp, I get prompted for a password before I get to where the screenshot was taken, and then the error message : freerdp_set_last_error ERRCONNECT_LOGON_FAILURE [0x00020014].

I read that Shodan does not try passwords, it just grabs screenshots from accessible targets without credentials How is Shodan able to grab such screenshots? or what does xfreerdp do instead of launching the RDP display?

How to find SSL root cert that made connection to the database in PostgreSQL?

When we connect to postgreSQL via ssl-mode=verify-full how will I make sure if the certificate I passed is used while making the connection?

With ssl_is_used(); shows only true or false. Is there any other extension or pg_catalog views that shows the root cert used in making connection to the DB ?

Replacing revoked SSL with a new cert but domain still showing old revoked cert

I bought and installed a SSL cert for my domain but then changed my mind and canceled the purchase and bought a slightly cheaper one. The old cert is then revoked and I proceed to install the new cert.

Here is when things got worse. The domain still showing old revoked SSL and that makes my site couldn’t be loaded on Firefox or any browser which are using OCSP. I tried reinstalling the new cert and even reissue it but to no avail.

Can anyone tell me how exactly can I purge the old revoked cert from getting in a way of the new cert? I believed this has caused downtime to my site.

Is this an issue with SSL provider or server side? The hosting company kept bouncing this and blaming SSL provider while the other one pointed me to the hosting company.