You and turtles are suffering from the cryptographic equivalent of a hypercorrection, in the same way that well-intentioned people insist on the propriety of the grammatically impossible phrase "between you and I" (which should be "between you and me," because prepositions take objects, not subjects.) The two of you have had the irreversibility of one-way hashes drilled into your heads, just as many of us were taught when young not to say "me and Susie were playing on the swingset." And you have an allergic reaction to anyone using "decrypt" and "hash" in the same sentence, which can lead to that allergy triggering a false positive. In this case that's what's happening.
Cryptographic hashes are irreversible. That's the point of such a device. But there is nothing stopping someone from taking the result of a cryptographic hash and then encrypting it, and then that someone or someone else decrypting that ciphertext to recover the hash result. E(H(S), k) leads to an encrypted hash, and D(E(H(S), k), k) recovers the hash. It's computationally infeasible to retrieve S. But nobody wanted to do that; they just wanted to know H(S).
You are correct that the server compares the result of the hash (which in context can also be called a "hash," such as "I used SHA-256 on my term paper, and then I spray-painted the hash on the face of the town clock tower, thus proving the existence of my term paper before the class deadline"). Nobody's arguing that. But how did it obtain the thing it's comparing its own result to, without M also obtaining that thing?
(I'm actually not sure whether TLS sends the actual hash or bases subsequent computations on the assumption that both sides can independently derive it. But if it does the former, it's totally fine to say "it decrypts the hash," which is the objection of the parent of this thread.)
Cryptographic hashes are irreversible. That's the point of such a device. But there is nothing stopping someone from taking the result of a cryptographic hash and then encrypting it, and then that someone or someone else decrypting that ciphertext to recover the hash result. E(H(S), k) leads to an encrypted hash, and D(E(H(S), k), k) recovers the hash. It's computationally infeasible to retrieve S. But nobody wanted to do that; they just wanted to know H(S).
You are correct that the server compares the result of the hash (which in context can also be called a "hash," such as "I used SHA-256 on my term paper, and then I spray-painted the hash on the face of the town clock tower, thus proving the existence of my term paper before the class deadline"). Nobody's arguing that. But how did it obtain the thing it's comparing its own result to, without M also obtaining that thing?
(I'm actually not sure whether TLS sends the actual hash or bases subsequent computations on the assumption that both sides can independently derive it. But if it does the former, it's totally fine to say "it decrypts the hash," which is the objection of the parent of this thread.)