[andersa]

You don't send any data to the attester. It runs locally on your device, or rather is part of its core functionality. Building a chain of trust from the TPM hardware module, validating secure boot is enabled, validating the kernel and drivers have not been tampered with, eventually validating the browser has not been tampered with.

You can't run your own attester - these are implemented by the companies who provide the hardware, such as Microsoft or Apple.

[maxloh]

Could this be reverse engineered so that third-party browsers sent the same hash as Chrome?

[kevincox]

Not without exploits. This is a cryptographically signed chain of trust from hardware to booloader to kernel to the OS to Chrome. If any of these are tampered with the signature will not validate and they won't load. If you try to run an unsigned version the layer above you will refuse to sign the attestation. The only solution is finding exploits in the chain. If at any point you get unsigned code running or manage to get a signature outside of the signed environment then you can "spoof" the attestation. But while it is a big stack it is explicitly designed to prevent this exact issue, so it won't be easy and it will be quickly patched.

This is the same setup as SafetyNet on Android. SafetyNet can be worked around right now for "Basic Integrity" but this works by making your device claim to be an older device. Newer devices support hardware backed attestation for which there is no general work around. You can be sure that this proposal will be using hardware-backed attestation from the start.