Is ChaCha20-Poly1305 secure?

Yes. ChaCha20-Poly1305 is one of only two AEAD ciphers approved for TLS 1.3, alongside AES-GCM. The IETF, the IRTF CFRG, and Mozilla's server-side TLS guidance all list it as a recommended modern cipher, and there is no published practical attack against the construction when implementations follow RFC 8439.

Is ChaCha20-Poly1305 deprecated?

No. ChaCha20-Poly1305 is an active mandatory-to-implement cipher in TLS 1.3 and a recommended cipher in TLS 1.2 through RFC 7905. Browsers, OpenSSL, BoringSSL, and Mozilla NSS all keep it enabled by default, and WireGuard uses it as the only data-channel cipher.

Does TLS 1.3 use ChaCha20-Poly1305?

Yes. TLS 1.3 defines TLS_CHACHA20_POLY1305_SHA256 as one of three mandatory AEAD cipher suites, alongside TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384. Every TLS 1.3 client and server is required to implement at least one of those three, and most ship all three.

Is ChaCha20-Poly1305 faster than AES-256-GCM?

It depends on hardware. On CPUs without AES-NI hardware acceleration, such as older ARM phones and low-end routers, ChaCha20-Poly1305 is faster and uses less battery. On modern desktop CPUs and recent Apple Silicon with AES-NI or equivalent instructions, AES-256-GCM is faster, sometimes by 2x to 3x.

Does Safari support ChaCha20-Poly1305?

Yes. Safari supports ChaCha20-Poly1305 as a TLS cipher suite from Safari 11.1 on macOS and Safari 11 on iOS and iPadOS. Older Safari releases on macOS 10.13 and earlier never added the cipher.

What RFC defines ChaCha20-Poly1305?

RFC 8439 is the current authoritative specification of the ChaCha20-Poly1305 AEAD construction. It replaces the earlier RFC 7539. RFC 7905 defines the matching TLS 1.2 cipher suites, and RFC 8446 lists TLS_CHACHA20_POLY1305_SHA256 as a TLS 1.3 cipher suite.

Does WireGuard use ChaCha20-Poly1305?

Yes. WireGuard uses ChaCha20-Poly1305 as its only data-channel AEAD cipher. The protocol is hard-coded to the construction, with no negotiation, which keeps the implementation small and removes downgrade risk.

What is the difference between ChaCha20 and ChaCha20-Poly1305?

ChaCha20 is a stream cipher that only encrypts. ChaCha20-Poly1305 is the AEAD construction that pairs ChaCha20 with the Poly1305 message authentication code, so a recipient can verify both confidentiality and integrity of the ciphertext in one step.

Does Internet Explorer support ChaCha20-Poly1305?

No. Internet Explorer never shipped ChaCha20-Poly1305 on any version, including IE 11 in IE-mode inside Microsoft Edge. Microsoft has retired Internet Explorer, and any service that still has IE clients has to keep an AES-GCM or AES-CBC cipher suite enabled for them.

How do I check if a browser supports ChaCha20-Poly1305?

Open the page on the browser, view the connection details in the address bar lock icon, and read the cipher suite. A modern Chrome, Firefox, Safari, or Edge connecting to a server that prefers ChaCha20 will show TLS_CHACHA20_POLY1305_SHA256 on TLS 1.3 or ECDHE-RSA-CHACHA20-POLY1305 on TLS 1.2.

Home
/
Learning Hub
/
ChaCha20-Poly1305: Browser Support, Cipher Suites

Testing

ChaCha20-Poly1305: Browser Support, Cipher Suites

ChaCha20-Poly1305 is an IETF AEAD cipher in TLS 1.2 and 1.3, supported from Chrome 33, Firefox 47, Safari 11.1, Edge 79, and Opera 36 on.

Prince Dewani

May 6, 2026

On This Page

About ChaCha20-Poly1305
Browser Support
Cipher Suites
vs AES-256-GCM
Use Cases
Known Issues
Citations

ChaCha20-Poly1305 is an IETF authenticated encryption algorithm in RFC 8439 that pairs the ChaCha20 stream cipher with the Poly1305 message authentication code into one AEAD construction. Browsers ship it as a TLS cipher suite from Chrome 33, Edge 79, Firefox 47, Safari 11.1, Opera 36, and Samsung Internet 4 on, while Internet Explorer and Opera Mini lack support.

This guide covers what ChaCha20-Poly1305 is, browser support, the TLS cipher suites, the AES-GCM comparison, and known issues.

What is ChaCha20-Poly1305?

ChaCha20-Poly1305 is an AEAD cipher the IETF standardized in RFC 8439. It encrypts data with the ChaCha20 stream cipher under a 256-bit key and a 96-bit nonce, then authenticates the ciphertext with a Poly1305 tag. Browsers, OpenSSH, WireGuard, and IPsec all use it.

Which browsers does ChaCha20-Poly1305 support?

Every modern browser supports ChaCha20-Poly1305 as a TLS 1.2 and TLS 1.3 cipher suite. Internet Explorer and Opera Mini are the only major exceptions, and the global usage figure on caniuse sits above 96%.

Loading browser compatibility data...

ChaCha20-Poly1305 compatibility in Chrome

Chrome supports ChaCha20-Poly1305 from Chrome 33 on Windows, macOS, Linux, ChromeOS, and Android. Early Chrome 33 to 48 builds shipped a non-standard draft code point, and Chrome 49 added the final RFC 7905 code points alongside it. Chrome 4 to 32 did not support the cipher. The Chromium client picks ChaCha20 over AES-GCM when the device lacks AES-NI hardware acceleration, which is common on low-end ARM phones.

ChaCha20-Poly1305 compatibility in Edge

Microsoft Edge supports ChaCha20-Poly1305 from Edge 79 on Windows, macOS, Linux, Android, and iOS. Chromium-based Edge inherits the BoringSSL TLS stack, which negotiates the cipher on TLS 1.2 and TLS 1.3 by default. Legacy EdgeHTML versions, Edge 12 to 18, did not support the cipher because Schannel on those Windows builds never offered ChaCha20.

ChaCha20-Poly1305 compatibility in Firefox

Firefox supports ChaCha20-Poly1305 from Firefox 47 on Windows, macOS, Linux, and Android. Firefox 2 to 46 did not support the cipher because Mozilla NSS only added the AEAD construction in NSS 3.24. Firefox ESR shipped the cipher with the 52 ESR branch, and every ESR release since has kept it on by default.

ChaCha20-Poly1305 compatibility in Safari

Safari supports ChaCha20-Poly1305 from Safari 11.1 on macOS High Sierra and Safari 11 on iOS 11 and iPadOS. Apple wired the cipher into the SecureTransport TLS stack, and the same code path covers Safari on macOS, iOS, iPadOS, watchOS, and tvOS. Safari 3.2 to 11 did not offer the cipher, since SecureTransport on macOS 10.13 and earlier shipped without it.

ChaCha20-Poly1305 compatibility in Opera

Opera supports ChaCha20-Poly1305 from Opera 36 on desktop and Opera Mobile 80 on Android. Opera 15 to 35 inherited Chromium's earlier TLS stack and did not yet have the AEAD construction wired in. Opera Mini renders pages on a server proxy, so the user agent never negotiates the cipher with origin servers and shows the proxy's TLS configuration instead.

ChaCha20-Poly1305 compatibility in Samsung Internet

Samsung Internet supports ChaCha20-Poly1305 from Samsung Internet 4 on Android. The browser ships the Chromium BoringSSL TLS stack, so the cipher is on by default for TLS 1.2 and TLS 1.3 connections. Samsung Internet on lower-end Galaxy and Tab devices often ranks ChaCha20 above AES-GCM in the client preference list, since many of those chips lack hardware AES.

ChaCha20-Poly1305 compatibility in Android Browser

The legacy Android Browser on Android 2.1 to 4.4 does not support ChaCha20-Poly1305, because the AOSP WebKit build shipped before the cipher existed. Android WebView switched to Chromium in Android 4.4, and recent WebView and Chrome for Android builds negotiate the cipher on every modern Android release. Older AOSP devices stuck on the pre-Chromium WebView never receive the cipher.

ChaCha20-Poly1305 compatibility in Internet Explorer

Internet Explorer does not support ChaCha20-Poly1305 on any version, from IE 5.5 through IE 11. Microsoft has retired Internet Explorer. Schannel on Windows 7, 8, and 10 never added the cipher to the IE-mode code path, so any service that still has IE clients on the wire has to keep an AES-GCM or AES-CBC cipher suite enabled for them.

Note: ChaCha20-Poly1305 negotiation differs across browsers, OS versions, and CPU hardware. Test your TLS handshake on real browsers and devices with TestMu AI. Try TestMu AI free!

What cipher suites use ChaCha20-Poly1305?

ChaCha20-Poly1305 appears in one TLS 1.3 suite and three TLS 1.2 suites. The TLS 1.3 suite drops the key-exchange and signature names, since TLS 1.3 negotiates those in separate extensions. The TLS 1.2 suites keep the full ECDHE-and-signature naming.

TLS_CHACHA20_POLY1305_SHA256: The TLS 1.3 cipher suite, defined in RFC 8446, code point 0x13,0x03. Every TLS 1.3 implementation is required to support at least one of TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, or this suite.
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: The TLS 1.2 suite for RSA-signed certificates, defined in RFC 7905, code point 0xCC,0xA8. This is the most common ChaCha20 suite negotiated against TLS 1.2 web servers.
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: The TLS 1.2 suite for ECDSA-signed certificates, code point 0xCC,0xA9. Cloudflare, Google, and Let's Encrypt with ECDSA leaf certificates negotiate this suite.
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: The TLS 1.2 finite-field DHE variant, code point 0xCC,0xAA. It is rare in practice, since modern servers prefer ECDHE.

The snippet below uses OpenSSL to force a connection through the TLS 1.3 ChaCha20 suite, then through one of the TLS 1.2 suites. Run it against a server that supports the cipher and the s_client output names the negotiated suite on the New, TLSv1.x line.

# Connect with OpenSSL and force the ChaCha20-Poly1305 TLS 1.3 suite.
openssl s_client -connect example.com:443 \
  -tls1_3 -ciphersuites TLS_CHACHA20_POLY1305_SHA256

# TLS 1.2 equivalent: only offer the ChaCha20 cipher suites.
openssl s_client -connect example.com:443 \
  -tls1_2 -cipher 'ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305'

# In the handshake output, look for the negotiated line:
#   New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256

ChaCha20-Poly1305 vs AES-256-GCM

ChaCha20-Poly1305 and AES-256-GCM are the two AEAD ciphers that TLS 1.3 keeps on the standards track. The right choice depends on the CPU, the threat model, and the side-channel posture of the implementation.

Dimension	ChaCha20-Poly1305	AES-256-GCM
Cipher type	Stream cipher with Poly1305 MAC	Block cipher in Galois/Counter Mode
Key size	256-bit key, 96-bit nonce	256-bit key, 96-bit nonce
Specification	RFC 8439, RFC 7905, RFC 8446	NIST SP 800-38D, RFC 5288, RFC 8446
Hardware acceleration	SIMD on most ARM and x86 CPUs	AES-NI on x86, ARMv8 Crypto Extensions
Performance without AES-NI	Faster, lower power on ARM	Slower in software-only mode
Performance with AES-NI	Slower than AES-GCM	Up to 2x to 3x faster
Side-channel risk	Constant-time by construction	Cache-timing risk in software
Typical client preference	Mobile, IoT, low-power devices	Servers and modern desktops

What are the use cases of ChaCha20-Poly1305?

ChaCha20-Poly1305 shows up wherever a protocol needs a fast, side-channel-resistant AEAD that runs well in software. The cipher is a default in modern web traffic, modern VPNs, and modern SSH.

HTTPS on mobile devices: Cloudflare, Google, and Akamai prefer ChaCha20-Poly1305 for clients that signal a ChaCha20-first preference list. The pattern matches Chrome and Safari on lower-end ARM phones and saves battery on long sessions.
WireGuard VPN tunnels: WireGuard uses ChaCha20-Poly1305 as its only data-channel cipher. The protocol design rules out negotiation, so every WireGuard peer encrypts and authenticates with the same construction.
OpenSSH connections: OpenSSH ships [email protected] as the default cipher on modern releases. The suite covers both record encryption and the length field, which closes a class of length-leak attacks against the SSH transport.
QUIC and HTTP/3: QUIC defines TLS 1.3 cipher suites for its packet protection, and TLS_CHACHA20_POLY1305_SHA256 is one of the three required suites. Servers behind HTTP/3 negotiate it for mobile clients alongside AES-GCM.
IPsec and S/MIME: RFC 7634 added ChaCha20-Poly1305 to IKEv2 and IPsec ESP, and S/MIME 4.0 lists it as an AEAD content-encryption algorithm. Both use cases lean on the same construction the browsers and SSH stacks ship.
Library defaults: libsodium, BoringSSL, OpenSSL, and Bouncy Castle expose ChaCha20-Poly1305 as a first-class AEAD primitive, which makes it the go-to construction for application-layer encryption in IoT firmware and mobile apps.

What are the known issues with ChaCha20-Poly1305?

The construction itself is sound, but the moving parts around it, nonce handling, server preference order, and legacy client coverage, drive most of the field-level pain.

Nonce reuse breaks confidentiality: Every encryption with a given key needs a unique 96-bit nonce. A repeated nonce on the same key leaks the XOR of the two plaintexts and lets an attacker forge Poly1305 tags. TLS rotates nonces per record, but custom application-layer use of the cipher has to manage the counter explicitly.
Older clients miss it: Internet Explorer, Edge 12 to 18, Safari on macOS 10.13 and earlier, and the legacy AOSP Android Browser do not support ChaCha20-Poly1305. A server cipher list that drops AES-GCM in favor of ChaCha20 will break those clients on the handshake.
Server preference matters: Many TLS 1.2 servers honor server preference order, so a cipher list that puts AES-GCM before ChaCha20 forces every connection to AES-GCM, even on a battery-constrained mobile client. NGINX, HAProxy, and Apache all expose a chacha20-equal-preference toggle.
Two cipher-suite code points historically: Chrome 33 to 48 used a draft code point, while Chrome 49 onward and OpenSSL 1.1 use the RFC 7905 code points. A misconfigured server that only advertises the draft code point will not negotiate with modern clients.
HSM and FIPS gaps: Hardware security modules and FIPS 140-3 validated stacks often only certify AES-GCM. Workloads under those constraints cannot use ChaCha20-Poly1305 for record protection without an exception, even when the rest of the fleet prefers it.
Length-extension on OpenSSH variants: Older non-OpenSSH ChaCha20 SSH variants did not authenticate the packet length field, which led to plaintext-recovery research. OpenSSH's [email protected] fixed this, but custom SSH-like protocols that copied the early design need the OpenSSH variant.

In my experience, the cleanest deployment is to enable both ChaCha20-Poly1305 and AES-256-GCM on the server, set chacha20-equal-preference so the client signal wins, and keep one AES-CBC suite around only for the IE 11 long tail. The mobile clients pick ChaCha20 on their own, the desktop clients land on AES-GCM, and the legacy holdouts still negotiate something the server can audit.

Citations

All ChaCha20-Poly1305 version numbers and platform notes in this guide come from these primary sources:

RFC 8439, ChaCha20 and Poly1305 for IETF Protocols: datatracker.ietf.org/doc/html/rfc8439
RFC 7905, ChaCha20-Poly1305 Cipher Suites for TLS: datatracker.ietf.org/doc/html/rfc7905
RFC 8446, The Transport Layer Security (TLS) Protocol Version 1.3: datatracker.ietf.org/doc/html/rfc8446
RFC 7634, ChaCha20, Poly1305, and Their Use in IKEv2 and IPsec: datatracker.ietf.org/doc/html/rfc7634
Wikipedia, ChaCha20-Poly1305: en.wikipedia.org/wiki/ChaCha20-Poly1305
Cloudflare blog, It takes two to ChaCha (Poly): blog.cloudflare.com/it-takes-two-to-chacha-poly
Cloudflare blog, Do the ChaCha: better mobile performance with cryptography: blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography
Mozilla Server Side TLS: wiki.mozilla.org/Security/Server_Side_TLS
Mozilla NSS release notes, NSS 3.24: firefox-source-docs.mozilla.org/security/nss/releases/nss_3_24.html
Apple Developer, Security framework SecureTransport: developer.apple.com/documentation/security/secure_transport
Chrome Platform Status, ChaCha20 cipher suites: chromestatus.com/feature/5658119915208704
WireGuard protocol whitepaper: wireguard.com/papers/wireguard.pdf
OpenSSH PROTOCOL.chacha20poly1305 specification: github.com/openssh/openssh-portable/blob/master/PROTOCOL.chacha20poly1305

Author

Prince Dewani

Blogs: 8

Prince Dewani is a Community Contributor at TestMu AI, where he manages content strategies around software testing, QA, and test automation. He is certified in Selenium, Cypress, Playwright, Appium, Automation Testing, and KaneAI. Prince has also presented academic research at the international conference PBCON-01. He further specializes in on-page SEO, bridging marketing with core testing technologies. On LinkedIn, he is followed by 4,300+ QA engineers, developers, DevOps experts, tech leaders, and AI-focused practitioners in the global testing community.