[mananaysiempre]

No need to replace AES except for implementation concerns, because constant-time AES on a CPU with caches but without AES in hardware is an absolute nightmare. I mean, have you seen how bitslicing works? It’s awful. Brilliantly clever, but still awful.

[rocqua]

I believe better performance without hardware specializations is why the chacha cipher was invented and added to TLS. I even think most big websites prefer it, for better mobile experience.

[tialaramex]

> I even think most big websites prefer it, for better mobile experience.

Actually the clients get to present a list of ciphers in descending order of preference, a server can (and most will) choose the first from the list that they're willing to use.

So from most heavier devices AES will be chosen because they have a hardware AES accelerator and so they put AES suites at the top of the list, while devices that don't are likely to put a suite with ChaCha20 at the top.

AES is Mandatory To Implement for modern TLS, even if your client can't do it efficiently you will need to support it in case your peer doesn't want to agree anything else.