Isn't ChaCha20/Poly1305 still draft status in TLS? Might not be very helpful.

Yes, but the draft is already running in production and mainlined in Chrome, as well as BoringSSL (and thus throughout Google, I understand?) and LibreSSL - nothing stopping you from benefiting from it right now. The final spin on the AEAD's in final draft, it won't be too long, then the TLS WG is importing that.

(I'm still working out the details - there are a few things about the VPU we don't know - but the ChaCha core function in particular looks like something the VPU could do very naturally, except that it's got diagonals. However a permutation to make those vertical might fix that, and if it can wrap around and the transform doesn't cancel out the benefit, it might perform very well. Or, it might block and be slower than the CPU. Hard to know at this stage, but if I come up with a good implementation I'll release it.)

I'm solely talking about browser compatibility.

(And don't get me wrong: I LOVE the work that's being done, and can't wait to be through with older cipher families!)

If you're streaming to mobile, ChaCha20 is out.

IE, Firefox, and Safari on the desktop: out. (so far)

Compatibility with IIS or any non-bleeding-edge middleware servers: out.

Regarding mobile: the latest Android Browser, and the mainline Chrome for Android and beta Chrome for Android both have CC20. agl specifically called out Android as a use case - ARMv7+NEON performance of ChaCha20 is substantially faster than, say, AES.

Yes, you'll probably be waiting until the RFC is out for wider support. I reckon it makes a leading candidate for "AES backup/standby", however.

Great news! Thanks. :)