Forums Bug Reports mIRC vulnerability regarding TLS 1.0 BEAST attack

If CTCP is vulnerable to this issue then many other events on IRC would be as well. Every time you join/part/message a channel or query/message a user, you will be sending known plaintext. So blocking CTCP will make very little difference. All someone has to do is to send you a private a message and then wait for you to reply and they will know that the stream of data contains "PRIVMSG nickname". Or they can just wait for you to join and talk on a channel and they will know that the stream of data contains "JOIN #channel" or "PRIVMSG #channel". This of course applies equally to all protocols that use known, repeated plaintext, not only IRC.

As mentioned in a previous post, if a client uses OpenSSL's "empty fragment" feature, which is enabled by default in OpenSSL, this mitigates the vulnerability. I have just checked the settings mIRC uses in the SSL_CTX_set_options() command, which a client can use to change the way OpenSSL behaves. mIRC uses the recommended SSL_OP_ALL option which includes SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS. Many applications use SSL_OP_ALL for compatibility reasons to ensure that a client can connect to different SSL server implementations.

I could remove the SSL_OP_ALL option from the next version of mIRC but this could result in it no longer being able to connect to some SSL servers. I would guess that most public IRC servers use OpenSSL, so they should not be affected. However mIRC is used by many different types of users and organizations, some of whom may use SSL server implementations that cannot handle the "empty fragment" feature.

That said, I have been reading through a large number of sites that discuss the BEAST exploit, which is browser-based, uses java/javascript, and seems to require a combination of other technologies (see here for a technical explanation) and I honestly can't tell whether it can be extended to IRC. There is a lot going on there.

Does anyone actually know whether the exploit extends to secure IRC connections? ie. connections other than the specific exploit context that BEAST uses?