Hello,
It appears that mIRC is especially vulnerable to the BEAST TLS attack due to the fact that any user on the IRC network can make mIRC generate an unlimited number of responses using the CTCP VERSION command (which is impossible to disable in mIRC). The CTCP VERSION command makes the mIRC user send a known plaintext encrypted though SSL which helps the BEAST attack.
This way, if the the attacker (Eve) is between the user (Alice) and the server (Bob) e.g. on the local network, then Eve will be able to decrypt all encrypted communications between Alice and Bob.
Suggestion for mitigation of this vulnerability: Make the response to CTCP version configurable user side, i.e. create a checkbox in mIRC configuration allowing the user to enable automatic response to CTCP version, and make this disabled by default.
Thank you.
