Hi,

I noticed the strange thing.

The Trezor is device for signing all outputs and all outputs should be showed to me in screen and values of each output.
Is it correct?

But i noticed that when i send some money to addresses A, B, C (i did the transaction for 10 addresses) there was 11th output - it's OK, one address is change from my wallet.

BUT! The 11th address is not showed by Trezor (or 1st) - this is the change adress. So one address slips away from my eye. It's very strange.
How the Trezor decides that one address should not be showed (and value too!) to me when i sign the transaction?

I understood that it made may be for easy using. But i would know the algorithm for this decision.
May be there security hole? Can hacker tell to the Trezor that one X address from faked transaction is change address and after this the Trezor could not show to me this address and value in Trezor's screen?

I can imagine that the Trezor could get the change address as path of BIP32/BIP44 and inside itself can recalculate the address and after it decides that this address is a really my own change address and doesn't show one me and value for it. But i am not sure that this done same way. If there in protocol only bit for address (change/not_change) - it will be security hole for trojan.

I think the Trezor should show all outputs and value of each output included a change address. A change address could be showed with remark 'Your Change' or other way. Otherwise, the thought creeps in that the algorithm has a loophole.

How do you think?
And what does Stick or Slush think about this? I don't want to ask this to through ticket system because the Trezor project should be discussed publicly.