Hi Jeroen,
I’d be inclined to change it to HTTPS completely. There are few circumstances where someone would deliberately *want* to retrieve the JSON from an HTTP endpoint instead of an HTTPS one. If Last.fm fail to renew their SSL certificates, that might cause warnings, but other than that it should be safe and standard.
As for API keys – I’m used to services that require per-user API keys for purposes of rate-limiting and caching. If Last.fm are happy with a generic API key for everyone using this plugin, that makes it easier for users who don’t want to go to the trouble of requesting their own Last.fm API account.
Cheers,
-Martin.