if somehow the software could pull a switch address a nano-second after I confirm on my Trezors. I am just trying to think out of the box here. I have been using Trezors since early on with the T1 and several T's as well. I triple check the display and have never had any issues at all.
Not possible to infiltrate the signed transaction and keep the signature valid at the same time.
As soon as Trezor
or any other HWwill sign transaction with eligible destination address there is no way for any software client
no matter if the latter is infiltrated or not to switch that address
or any other details of this transaction. If the client will manage to change
somehow the destination address in transaction signed by Trezor
or any other HW the relevant signature will be invalid.
This ensures the transaction can't be tampered with after signing.This was a great and clear answer. It is what Trezor users expect. I/we have always suspected what you posted is spot on. However; I would love to read a "paper/link" clearly showing why this is so. I would love to dissect and see the transaction torn apart to better visualize how a swapped destination address (after a Trezor confirm) invalidates the entire transaction. I am not losing sleep over this but I feel like with me being a Crypto person for over 10 years I should be able to nail this in my mind. I cannot. I believe it and I know Trezor (and others) were designed for this to be true. I would love to spend the time to rip this apart and learn something beyond basic here. Just saying!!