You can't have it both ways. If you are hashing the password before it is sent from the client to the server, you need the raw password on the server side.
(Assuming you are concatenating it with a server-provided random value before the hashing.)
You're assuming they're using a secure challenge response protocol. They're not. They're sending password-equivalent hashes over the wire, so they can say they're not sending passwords.
You'd be right to point out that this is a lot of silly acrobatics to go through to avoid a single SSL login page.
