You are correct. Would need something like distributed ledger to fully prove things.

It might not be possible to verify 100% but the more transparency the better i guess. Seeing the 3 way handshake and connection information, the timings, location of the server. Would need to be quite elaborate to fake. Just thought was a fun idea. Have the customer allowed in to production. A lot more difficult then publish privacy page, source code, fake audit reports.