noob question: is there not a way for the client to verify that it is actually talking to google.com in a situation like this? I would think there would be some way to verify based on certs or something like that.
If you want to be sure, you have to pin your TLS certificates. That way someone either has to decompile your executable and replace that pinned cert (hard if you use SW signing), crack your signature (not likely) or steal your private key.
There are several other methods that I've seen but they are not bulletproof:
- talking directly to hardcoded DNS such as 8.8.8.8
- hardcoding IP addresses into SW
- Checking for some obscure header as a part of client/server identification
yes, cert pinning, DNS over https, and encrypted DNS can make it much harder to see what the software on your network is doing. even just verifying ssl certificates client side is enough in most instances. Luckily, proxy servers in corporate environments have forced many vendors into not fully implementing these features.
There are several other methods that I've seen but they are not bulletproof: - talking directly to hardcoded DNS such as 8.8.8.8 - hardcoding IP addresses into SW - Checking for some obscure header as a part of client/server identification