Hypothetically, I wonder if it would be possible to spoof this if you also had an actual unmodified attested device. Something like a device in your home network that would, if you have an iPhone as well as an unattested computer that you actually want to use: get request for attestation from a website, send that request to your iphone instead, as if your iphone had opened the page and was receiving the request (or just have the iphone also try to load the page), intercept the signature the iphone sends to the website, and have your computer send it to the website instead.
Probably doable on some devices, but also easily blockable, as the authorisation features are generally built into the hardware already. Remember the expectation/worry is that you’d only be able to use closed-source browsers, so any way to go around this would essentially require cracking. So this could end up being a cat and mouse game between the big tech and crackers. Just to visit a web site.
Hypothetically, I wonder if it would be possible to spoof this if you also had an actual unmodified attested device. Something like a device in your home network that would, if you have an iPhone as well as an unattested computer that you actually want to use: get request for attestation from a website, send that request to your iphone instead, as if your iphone had opened the page and was receiving the request (or just have the iphone also try to load the page), intercept the signature the iphone sends to the website, and have your computer send it to the website instead.
Probably doable on some devices, but also easily blockable, as the authorisation features are generally built into the hardware already. Remember the expectation/worry is that you’d only be able to use closed-source browsers, so any way to go around this would essentially require cracking. So this could end up being a cat and mouse game between the big tech and crackers. Just to visit a web site.