We actually received that question from a reporter yesterday, and I wrote an answer (one which is in the new version of the FAQ that hasn't been pushed :/) that I vetted against the other security people working on our protocol, so before I write something one-off, I'll copy/paste that and see if it is sufficient (as I'd prefer to not accidentally make any security claims that we are not prepared to stand by ;P).
> We are working on techniques involving "traffic steganography" that will make the the traffic used by Orchid look like "normal" internet traffic (such as web requests and video calls). There are also existing simpler techniques such as "domain fronting", where you send your traffic to a large company such as Amazon--one which uses a CDN to efficiently route traffic--and cause their CDN to forward your traffic to your servers; this has been used successfully against the Great Firewall of China in the past.
> Of course, we also need to hide the list of destination servers, as otherwise these could be collected by the adversary and blocked outright. Our current solution to this involves cycling through large numbers of random IP addresses on various hosting solutions, which we believe will force anyone trying to block our traffic to end up blocking large areas of the internet--such as every server being hosted on Amazon Web Services--which would cause a serious problem for Chinese businesses and residents.
> For more information on this, see our discussion of Firewall Circumvention Features (Section 12) of our whitepaper.
> We are working on techniques involving "traffic steganography" that will make the the traffic used by Orchid look like "normal" internet traffic (such as web requests and video calls). There are also existing simpler techniques such as "domain fronting", where you send your traffic to a large company such as Amazon--one which uses a CDN to efficiently route traffic--and cause their CDN to forward your traffic to your servers; this has been used successfully against the Great Firewall of China in the past.
> Of course, we also need to hide the list of destination servers, as otherwise these could be collected by the adversary and blocked outright. Our current solution to this involves cycling through large numbers of random IP addresses on various hosting solutions, which we believe will force anyone trying to block our traffic to end up blocking large areas of the internet--such as every server being hosted on Amazon Web Services--which would cause a serious problem for Chinese businesses and residents.
> For more information on this, see our discussion of Firewall Circumvention Features (Section 12) of our whitepaper.